From e85a016521cf2daf613671cd6d03ec380f94810f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 22 Apr 2019 23:02:08 +0200
Subject: [PATCH 01/91] Parse pre-shared-key extension.

No documentation yet...
---
 scripts/base/init-bare.zeek                   |   6 ++
 src/analyzer/protocol/ssl/events.bif          |   3 +
 .../protocol/ssl/tls-handshake-analyzer.pac   |  52 ++++++++++++++++++
 .../protocol/ssl/tls-handshake-protocol.pac   |  38 +++++++++++++
 src/analyzer/protocol/ssl/types.bif           |   1 +
 .../.stdout                                   |  51 ++++++++++++++++-
 .../Traces/tls/tls13_psk_succesfull.pcap      | Bin 0 -> 4088 bytes
 .../protocols/ssl/tls-extension-events.test   |  14 ++++-
 8 files changed, 162 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Traces/tls/tls13_psk_succesfull.pcap

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 4575b3a694..cc328cd9aa 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4170,6 +4170,10 @@ export {
 		SignatureAlgorithm: count; ##< Signature algorithm number
 	};
 
+	type PSKIdentity: record {
+		identity: string; ##< PSK identity
+		obfuscated_ticket_age: count;
+	};
 
 ## Number of non-DTLS frames that can occur in a DTLS connection before
 ## parsing of the connection is suspended.
@@ -4191,6 +4195,8 @@ module GLOBAL;
 ##    directly and then remove this alias.
 type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
 
+type psk_identity_vec: vector of SSL::PSKIdentity;
+
 module X509;
 export {
 	type Certificate: record {
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 2ef675554f..774017eb9f 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -182,6 +182,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
+event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%);
+event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%);
+
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
 ## The curve is sent by the server in the ServerKeyExchange message as defined
 ## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 5cf250c366..8e0ae84455 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -411,6 +411,50 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_pre_shared_key_server_hello(rec: HandshakeRecord, identities: PSKIdentitiesList, binders: PSKBindersList) : bool
+		%{
+		if ( ! ssl_extension_pre_shared_key_server_hello )
+			return true;
+
+		VectorVal* slist = new VectorVal(internal_type("psk_identity_vec")->AsVectorType());
+
+		if ( identities && identities->identities() )
+			{
+			uint32 i = 0;
+			for ( auto&& identity : *(identities->identities()) )
+				{
+				RecordVal* el = new RecordVal(BifType::Record::SSL::PSKIdentity);
+				el->Assign(0, new StringVal(identity->identity().length(), (const char*) identity->identity().data()));
+				el->Assign(1, val_mgr->GetCount(identity->obfuscated_ticket_age()));
+				slist->Assign(i++, el);
+				}
+			}
+
+		VectorVal* blist = new VectorVal(internal_type("string_vec")->AsVectorType());
+		if ( binders && binders->binders() )
+			{
+			uint32 i = 0;
+			for ( auto&& binder : *(binders->binders()) )
+				blist->Assign(i++, new StringVal(binder->binder().length(), (const char*) binder->binder().data()));
+			}
+
+		BifEvent::generate_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, slist, blist);
+
+		return true;
+		%}
+
+	function proc_pre_shared_key_client_hello(rec: HandshakeRecord, selected_identity: uint16) : bool
+		%{
+		if ( ! ssl_extension_pre_shared_key_client_hello )
+			return true;
+
+		BifEvent::generate_ssl_extension_pre_shared_key_server_hello(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig}, selected_identity);
+
+		return true;
+		%}
+
 };
 
 refine typeattr ClientHello += &let {
@@ -520,6 +564,14 @@ refine typeattr PSKKeyExchangeModes += &let {
 	proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
 };
 
+refine typeattr OfferedPsks += &let {
+	proc : bool = $context.connection.proc_pre_shared_key_server_hello(rec, identities, binders);
+};
+
+refine typeattr SelectedPreSharedKeyIdentity += &let {
+	proc : bool = $context.connection.proc_pre_shared_key_client_hello(rec, selected_identity);
+};
+
 refine typeattr Handshake += &let {
 	proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
 };
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index f141a6e9b0..e3b2b88aeb 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -778,6 +778,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
 		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
+		EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
@@ -864,6 +865,43 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
 	default -> other : bytestring &restofdata &transient;
 };
 
+type SelectedPreSharedKeyIdentity(rec: HandshakeRecord) = record {
+	selected_identity: uint16;
+};
+
+type PSKIdentity() = record {
+	length: uint16;
+	identity: bytestring &length=length;
+	obfuscated_ticket_age: uint32;
+};
+
+type PSKIdentitiesList() = record {
+	length: uint16;
+	identities: PSKIdentity[] &until($input.length() == 0);
+} &length=length+2;
+
+type PSKBinder() = record {
+	length: uint8;
+	binder: bytestring &length=length;
+};
+
+type PSKBindersList() = record {
+	length: uint16;
+	binders: PSKBinder[] &until($input.length() == 0);
+} &length=length+2;
+
+type OfferedPsks(rec: HandshakeRecord) = record {
+	identities: PSKIdentitiesList;
+	binders: PSKBindersList;
+};
+
+type PreSharedKey(rec: HandshakeRecord) = case rec.msg_type of {
+	CLIENT_HELLO -> offered_psks : OfferedPsks(rec);
+	SERVER_HELLO -> selected_identity : SelectedPreSharedKeyIdentity(rec);
+	# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
+	default -> other : bytestring &restofdata &transient;
+};
+
 type SignatureAlgorithm(rec: HandshakeRecord) = record {
 	length: uint16;
 	supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
diff --git a/src/analyzer/protocol/ssl/types.bif b/src/analyzer/protocol/ssl/types.bif
index a6f7f069cf..c2bce5a44f 100644
--- a/src/analyzer/protocol/ssl/types.bif
+++ b/src/analyzer/protocol/ssl/types.bif
@@ -1,5 +1,6 @@
 module SSL;
 
 type SignatureAndHashAlgorithm: record;
+type PSKIdentity: record;
 
 module GLOBAL;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
index 7347ea650f..a840e43bf4 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -45,7 +45,7 @@ sha1, dsa
 sha256, dsa
 sha384, dsa
 sha512, dsa
-supported_versions(, 192.168.6.240, 139.162.123.134
+supported_versions, 192.168.6.240, 139.162.123.134
 TLSv13-draft19
 TLSv12
 TLSv11
@@ -78,7 +78,7 @@ sha1, dsa
 sha256, dsa
 sha384, dsa
 sha512, dsa
-supported_versions(, 192.168.6.240, 139.162.123.134
+supported_versions, 192.168.6.240, 139.162.123.134
 TLSv13-draft19
 TLSv12
 TLSv11
@@ -86,3 +86,50 @@ TLSv10
 psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
 1
 0
+pre_shared_key client hello, 192.168.6.240, 139.162.123.134, [[identity=\x01\xf3\x88\x12\xae\xeb\x13\x01\xed]\xcf\x0b\x8f\xad\xf2\xc1I\x9f-\xfa\xe1\x98\x9f\xb7\x82@\x81Or\x0e\xbe\xfc\xa3\xbc\x8f\x03\x86\xf1\x8e\xae\xd7\xe5\xa2\xee\xf3\xde\xb7\xa5\xf6\\xeb\x18^ICPm!|\x09\xe0NE\xe8\x0f\xda\xf8\xf2\xa8s\x84\x17>\xe5\xd9!\x19\x09\xfe\xdb\xa87\x05\xd7\xd06JG\xeb\xad\xf9\xf8\x13?#\xdc\xe7J\xad\x14\xbfS.\x98\xd8\xd2r\x01\xef\xc5\x0c_\xdf\xc9[7\xa7l\xa7\xa0\xb5\xda\x83\x16\x10\xa1\xdb\xe2<j\xfeN=uU\xd3\xf3[\x021\xb1\xff\xcc\xbbZ\x1d\xab\x14=\xca\x80\x07!d\x06\xbe\xc6\x90\x94\x92S\xcfu\x8e\x92_/\xc9\xf0H\xf3\xd0\xfa\xeb\xb6&, obfuscated_ticket_age=1415540021]], [\xdcJ$\x00L\x12\x87\x929wEed\xbd\xf6\xcb4\x04ip5\x95\xe2X\xca[Kx}\xadHY\xae\xab\xedz\xb3\xcaK=\xa0\x09ER\x0a\x8dO\xe4]
+pre_shared_key server hello, 192.168.6.240, 139.162.123.134, 0
+Point formats, 192.168.178.80, 174.138.9.219, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.178.80, 174.138.9.219
+x25519
+secp256r1
+x448
+secp521r1
+secp384r1
+signature_algorithm, 192.168.178.80, 174.138.9.219
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+Intrinsic, ed25519
+Intrinsic, ed448
+Intrinsic, rsa_pss_sha256
+Intrinsic, rsa_pss_sha384
+Intrinsic, rsa_pss_sha512
+Intrinsic, rsa_pss_sha256
+Intrinsic, rsa_pss_sha384
+Intrinsic, rsa_pss_sha512
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha224, ecdsa
+sha1, ecdsa
+sha224, rsa
+sha1, rsa
+sha224, dsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions, 192.168.178.80, 174.138.9.219
+TLSv13
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.178.80, 174.138.9.219
+1
+pre_shared_key client hello, 192.168.178.80, 174.138.9.219, [[identity=Client_identity, obfuscated_ticket_age=0]], [\xdbm7\xb6\xb9\xa3\xb29C\xb5\xa3\xa4\8\x95\x94o\x8d'\xd7\x99\x91R\xea\xcb\xa82\x9cb$e\xe9]
+supported_versions, 192.168.178.80, 174.138.9.219
+TLSv13
+pre_shared_key server hello, 192.168.178.80, 174.138.9.219, 0
diff --git a/testing/btest/Traces/tls/tls13_psk_succesfull.pcap b/testing/btest/Traces/tls/tls13_psk_succesfull.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cdf7fcf132e77c678a97583223da93134b69cbc2
GIT binary patch
literal 4088
zcmb7{3tUun7RS%McNhkchaxW@I4~v{ItT)SK+S^2N93g`E0_TSEvzsQLh7bD61G|+
zK2{bVC@A9!g4joqwngh&7ABY=A+|b+t-^|BrsM;1+;e7zmKnhG|KZGi{ki||{hi-A
zbI07$(!2x!B7;1}Ft~l99}L*R^3>$q^enkJEj1}6HAlQOBP)3sP5~B7VWq!cf}aln
z2UajEDQ88xT<qm9^_5P;>jIbwxyjind70T__l)$V*~v-S;<r+Bmeb9=r2bMb@zkl}
zKV)ZTr2ck#Mu61Ycbe2|GA)3En21NL-_l)Kj8r+T@Y{I>B7j{fF^M26J5|1Xc?Qn1
zf%V~%J#ndl4eOs2^uefRSNb2CE5z7N2RK^ZGl9oHm#d?2pQ5DUAMQaO8*XZH!)J<M
zHh_%&WJ2qBzT#+1&HHATTbr1ANyiOmoD3hbPo4<lab<x?EyHm_h7p;2L(d7iCSd84
zQ3z;*Y{ZUR{jmVIBJC9&3o-4`9}`p6TPpQ@Jf_gm=*YB8LB!-Ibb6h5h>NLjZEAIi
z%0R9OWur73);-cPRSQ^=d1A!qhs1<@rkC0>6Rvxj1{!ja#zS!t4{>e4pg~+}<O;!k
zia}bTxH8h}4I`~4AX}!wMr41`23OW;bcMJKIas{sP#m;AafoRG4&vCmN~Qi5!6}S6
zm_{9k<@q5w97XoB&kZ^3IfmKB08_|u54u(@ihEp~mQ;6DHRqU9PIu$Kc6@p*FYrG;
zJFR0UxO^ZEEAY4~UAuCpGB5OTL`AGLsPl;P#>&55iQQf9UG?~KDdgC)wwx`)PvNIQ
zX;WoWMbjbPgZG5J{6yXzmhlqa4gSQN^P?evH{)$#Ivj?orkbY1P1UdmDx0dH8V;fP
zD<Bwxcz@mxK7wOV1Y5xuj=&~<2JZ`Xa1<@P1w5e!l<)*aXax%paKNx&4kIweg9A8&
z6F7ndC9}tHz_5gAAQf;XoRAZlibNtak-5l1BoLX1gaXEd5u!<0j$>GcV_8<fny^9^
zJituE2{^jKz*Jxv29YPhL|j5FESTanW>@Q1;3>_icRZ*JnOBzeVn)Z>T&s*z$A9$7
zgvr<k?7%uSBRy4~n~<J@pXs@)kOaU*d^vMQ-N)re1456Nt6uXj+Mcz^t$pX#`Q42b
z-X%*XrryL!&r(0+3-ZSnx+@Oy$GOKUbvW)*45}ZW;%KU$e0!t%$&_?-)+ub5-l`m(
zKN2JC#$xSU36-hVn3Yvz81kU%L;96Ch$oFE;2@qvjY=)SV+vy)#;!Pqc-Hw0$>YfM
z9!)dkvFA8Y;8U;WxZ|JaYZ@m0q-<||P;ug%`$hhAL&~ItOT7tO-L0%G3)cLuUu`++
ziXOmn0?ey6t0voh^7y-lSNx)CKQ`xJ{NysXZSO>{{q9}K<uCm9{msG(vx<w4MhJ#+
zz)y!(afR#KMH;6<w|vcKniJznKXfX0>b9b5zVBRJz0u_5Gk=CJr51L_ZWoT<8M~m@
z-sP2^HO+UwzjgZlOR6>HVEt|BejDF7)BU%D9oa{X8x8V4oX(`LaevB3okLJ_3gf;&
z&0jV|f9kAjb%~C`{xnMUN1e`?a}DL*FyHvhL*~1`Kb^trG$`M$a6p}p`xJvXa`haO
z4EvLw!%;M95q_KL`=plR|5E#Q{cz-=>}~HGi|al<|8sqT&w^Rbk2VG@9cfk)&^#vL
zY;Q+lzH;}<+6!s-`d+oP{jc=imGBYB@GNyi{G_LX1jj+ou~>0H9e~FagM2F~o~QNg
z3x>Xpj>0;+uR!0fQ|g`rwG1Xr$q?OsZ82e$N}u|I!nr9`eC5i>8k@A_ndkm3t3BJ}
zCN`b!&nZ+ZEaVp!rCeRM$7z3S(QLE!u$H{9_Z_bYcV*14t=c?k%SUtM<9A2DF1OpP
zNcTQn`@sI2o`SuuwQ&I>!Z#^zCXRjga^aS$n$TYZyB79d%^!7l3E#kTCU?HLmmGJZ
z)PJ+GzSVwq%p=*M-kJ>?HCJ3`rO#dvcbl)RxLEp~IQUlR?)LVZTP2;%X39^~*wLO7
zUpTq`XjpF7f_T}*_G{k@lBTS<-j;XwLU6Wg=!BQW4ua!5?m6vUct>zH{F|1z-ny3k
z|8!U=l(f{}3~3(so(qp!4%DCI9qN0IbT{_%C#Zi2&ZijUqv8B~zttrs82xOuzq{W@
zzc^D43^~|gIQsouhSzD34?0(!R4>MTia{KadOt@R`B}%|D6;y?ync?pDa1iO7@akv
zsAoy@`Zr&Bcs*$$ze^sWw13k;r{Va@kb!g>*ze^<pFFMK&)4>QTSK451WP))tf}9Z
z;5#kVTVll6N^j_!GJft(w=bJZP8#YpT;BToeKj)CAibJ0+SG60K811JKuqzg+Pb+v
zBoEe2WqUu5OFr>vn{4FmJ<jqw9*^$r3OVDtO|xsm{gjZRzUgT*tHav9UM+t%R$?^v
z*bQWTUXOKIqsQXNWADf4SiKqMrNjuAd_#`ma!4LSJr!cy8o#^aDWLPjS%yJ_G_^V3
zt;Uyapcv%A2)zfR3_YmlL=S4r`#FW>#7Uak?)$;BsH@|%UxR*3Jo(zLul{~_{0BOI
zZLVSXclI)5FxD{;`JP)xH?58%MOFnD4EdgoqrX-M*20dcTTiQn1=?B|Y2>{)tOYl!
zh4om?x>|4>=gkPq`%W)8>>`W*Nymea4fI<^tB*qW+h*Wznf_WB$n#>%Q+Z;wJk~}$
z@yO$@<(X^9b70)1OOat&q?UgD=jAD$_f(#RS{@rC9-TfTQ6F^LKz$aSa%`I&-DCND
oJd`&Y<m(pXd2Zjhqi^D={?<C_craI|5+mHk={SDRzqJ1U0I1DVbpQYW

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
index b8f3d42242..59209910a6 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -1,5 +1,6 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
 # @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
@@ -37,7 +38,7 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
 
 event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
 	{
-	print "supported_versions(", c$id$orig_h, c$id$resp_h;
+	print "supported_versions", c$id$orig_h, c$id$resp_h;
 	for ( i in versions )
 		print SSL::version_strings[versions[i]];
 	}
@@ -48,3 +49,14 @@ event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes:
 	for ( i in modes )
 		print modes[i];
 	}
+
+event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)
+	{
+	print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
+
+	}
+
+event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count)
+	{
+	print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
+	}

From 4dc6ac538247e5d3b7535a6b8781cb23f2ef1cca Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 29 Apr 2019 15:25:47 -0400
Subject: [PATCH 02/91] Include all data of the server-hello random

Before we cut the first 4 bytes, which makes it impossible to recognize
several newer packets (like the hello retry).
---
 src/analyzer/protocol/ssl/events.bif          |  6 ++-
 .../protocol/ssl/proc-server-hello.pac        |  6 ++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  2 +-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  2 +-
 .../protocol/ssl/tls-handshake-protocol.pac   |  3 +-
 .../ssl-all.log                               | 40 +++++++++----------
 .../.stdout                                   |  2 +-
 .../all-events.log                            |  2 +-
 8 files changed, 34 insertions(+), 29 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 4e7b7113eb..25813031dd 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -56,13 +56,15 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
 ##
 ## possible_ts: The current time as sent by the server. Note that SSL/TLS does
 ##              not require clocks to be set correctly, so treat with care. This value
-##              is not sent in TLSv1.3.
+##              is meaningless in SSLv2 and TLSv1.3.
 ##
 ## session_id: The session ID as sent back by the server (if any). This value is not
 ##             sent in TLSv1.3.
 ##
 ## server_random: The random value sent by the server. For version 2 connections,
-##		  the connection-id is returned.
+##		  the connection-id is returned. Note - the full 32 bytes are included in
+##		  server_random. This means that the 4 bytes present in possible_ts are repeated;
+##		  if you do not want this behavior ignore the first 4 bytes.
 ##
 ## cipher: The cipher chosen by the server.  The values are standardized as part
 ##         of the SSL/TLS protocol. The :zeek:id:`SSL::cipher_desc` table maps
diff --git a/src/analyzer/protocol/ssl/proc-server-hello.pac b/src/analyzer/protocol/ssl/proc-server-hello.pac
index 3fbf688e5d..efce02b329 100644
--- a/src/analyzer/protocol/ssl/proc-server-hello.pac
+++ b/src/analyzer/protocol/ssl/proc-server-hello.pac
@@ -1,5 +1,5 @@
 	function proc_server_hello(
-					version : uint16, ts : double,
+					version : uint16, v2 : bool,
 					server_random : bytestring,
 					session_id : uint8[],
 					cipher_suites16 : uint16[],
@@ -21,6 +21,10 @@
 			else
 				std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(*ciphers), to_int());
 
+			uint32 ts = 0;
+			if ( v2 == 0 && server_random.length() >= 4 )
+				ts |= server_random[3] | server_random[2] << 8 | server_random[1] << 16 | server_random[0] << 24;
+
 			BifEvent::generate_ssl_server_hello(bro_analyzer(),
 							bro_analyzer()->Conn(),
 							version, record_version(), ts, new StringVal(server_random.length(),
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index bf35218873..06a5767955 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -44,7 +44,7 @@ refine typeattr V2ClientHello += &let {
 refine typeattr V2ServerHello += &let {
 	check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
 
-	proc : bool = $context.connection.proc_server_hello(server_version, 0,
+	proc : bool = $context.connection.proc_server_hello(server_version, 1,
 				conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true);
 
 	cert : bool = $context.connection.proc_v2_certificate(rec.is_orig, cert_data)
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 8e0ae84455..085a8710f9 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -465,7 +465,7 @@ refine typeattr ClientHello += &let {
 
 refine typeattr ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(server_version,
-			gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
+			0, random_bytes, session_id, cipher_suite, 0,
 			compression_method);
 };
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index e3b2b88aeb..1ed6816f45 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -116,8 +116,7 @@ type ServerHelloChoice(rec: HandshakeRecord) = record {
 };
 
 type ServerHello(rec: HandshakeRecord, server_version: uint16) = record {
-	gmt_unix_time : uint32;
-	random_bytes : bytestring &length = 28;
+	random_bytes : bytestring &length = 32;
 	session_len : uint8;
 	session_id : uint8[session_len];
 	cipher_suite : uint16[1];
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
index 7d15c707b3..506c3a5945 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
@@ -3,60 +3,60 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-51
+#open	2019-04-29-19-23-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	TLSv10	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
-#close	2018-08-27-22-38-51
+1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	TLSv10	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	535c4db35c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
+#close	2019-04-29-19-23-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-52
+#open	2019-04-29-19-23-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
-#close	2018-08-27-22-38-52
+1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv12	535bdbf95cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
+#close	2019-04-29-19-23-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-52
+#open	2019-04-29-19-23-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	unknown-0	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
-1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
-1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
-#close	2018-08-27-22-38-52
+1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	unknown-0	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	45c7bb492b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
+1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	45c7bb4c0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
+1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	TLSv10	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	TLSv10	45c7bb4ffd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
+#close	2019-04-29-19-23-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-53
+#open	2019-04-29-19-23-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv11	0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
-#close	2018-08-27-22-38-53
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	TLSv10	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	TLSv11	5a20647e0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
+#close	2019-04-29-19-23-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-54
+#open	2019-04-29-19-23-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1425932016.520029	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	DTLSv10	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv10	e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
-#close	2018-08-27-22-38-54
+1425932016.520029	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	DTLSv10	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv10	54fdfee7e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
+#close	2019-04-29-19-23-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-08-27-22-38-54
+#open	2019-04-29-19-23-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_record_version	client_random	client_cipher_suites	server_record_version	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
-1512070268.982498	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	DTLSv12	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv12	1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
-#close	2018-08-27-22-38-54
+1512070268.982498	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	DTLSv12	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	DTLSv12	07c5aefa1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
+#close	2019-04-29-19-23-07
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout
index 85bc19633e..7482c0c3b4 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout
@@ -1,2 +1,2 @@
 8\xd0U@\xf1\xaamI\xb5SE\x0b\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7\x04\x90
-\xa7\x02\xf4'&\x05]|c\x83KN\xb0\x0e6F\xbez\xbb\x0ey\xbf\x0f\x85p\x83\x8dX
+R\xc1\xf4\xef\xa7\x02\xf4'&\x05]|c\x83KN\xb0\x0e6F\xbez\xbb\x0ey\xbf\x0f\x85p\x83\x8dX
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 9182b8f999..3c02e20a80 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -834,7 +834,7 @@
                   [1] version: count     = 771
                   [2] record_version: count = 771
                   [3] possible_ts: time  = 1437831799.0
-                  [4] server_random: string = \xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
+                  [4] server_random: string = U\xb3\x92w\xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
                   [5] session_id: string = \x17x\xe5j\x19T\x12vWY\xcf\xf3\xeai\\xdf\x09[]\xb7\xdf.[\x0e\x04\xa8\x89bJ\x94\xa7\x0c
                   [6] cipher: count      = 4
                   [7] comp_method: count = 0

From 474efe9e69f94de3fc57f76dd8d95edfe3e86abd Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 9 May 2019 11:52:51 -0700
Subject: [PATCH 03/91] Remove value serialization.

Note - this compiles, but you cannot run Bro anymore - it crashes
immediately with a 0-pointer access. The reason behind it is that the
required clone functionality does not work anymore.
---
 src/Attr.cc                                  |   68 -
 src/Attr.h                                   |    5 -
 src/CMakeLists.txt                           |    3 -
 src/ChunkedIO.cc                             | 1357 ------------------
 src/ChunkedIO.h                              |  362 -----
 src/Conn.cc                                  |  193 ---
 src/Conn.h                                   |    8 -
 src/DebugLogger.cc                           |    3 +-
 src/DebugLogger.h                            |    3 +-
 src/Event.cc                                 |    3 +-
 src/Event.h                                  |    1 -
 src/EventHandler.cc                          |   20 -
 src/EventHandler.h                           |    8 -
 src/Expr.cc                                  |  841 -----------
 src/Expr.h                                   |   99 --
 src/File.cc                                  |  142 --
 src/File.h                                   |    5 -
 src/Func.cc                                  |  134 --
 src/Func.h                                   |   10 -
 src/ID.cc                                    |  205 ---
 src/ID.h                                     |    6 -
 src/Net.cc                                   |    1 -
 src/Obj.cc                                   |   65 -
 src/Obj.h                                    |   21 +-
 src/OpaqueVal.cc                             |  359 -----
 src/OpaqueVal.h                              |   14 -
 src/RE.cc                                    |   53 +-
 src/RE.h                                     |    9 +-
 src/Reassem.cc                               |   35 -
 src/Reassem.h                                |    5 -
 src/SerialInfo.h                             |   10 -
 src/SerialObj.cc                             |  277 ----
 src/SerialObj.h                              |  382 -----
 src/SerializationFormat.cc                   |    2 +-
 src/Serializer.cc                            | 1059 --------------
 src/Serializer.h                             |  363 -----
 src/StateAccess.cc                           |  142 --
 src/StateAccess.h                            |   12 +-
 src/Stmt.cc                                  |  525 -------
 src/Stmt.h                                   |   47 -
 src/Timer.cc                                 |   36 -
 src/Timer.h                                  |    9 +-
 src/Type.cc                                  |  518 +------
 src/Type.h                                   |   31 -
 src/Val.cc                                   |  791 +---------
 src/Val.h                                    |   52 +-
 src/Var.cc                                   |    1 -
 src/analyzer/protocol/tcp/TCP_Reassembler.cc |   14 -
 src/analyzer/protocol/tcp/TCP_Reassembler.h  |    2 -
 src/bro.bif                                  |   29 +-
 src/broker/Data.cc                           |   74 +-
 src/broker/Data.h                            |    2 -
 src/broker/Manager.cc                        |    1 +
 src/broker/Store.cc                          |   42 -
 src/broker/Store.h                           |    2 -
 src/file_analysis/FileReassembler.cc         |   15 -
 src/file_analysis/FileReassembler.h          |    2 -
 src/file_analysis/analyzer/x509/OCSP.cc      |   30 -
 src/file_analysis/analyzer/x509/OCSP.h       |    1 -
 src/file_analysis/analyzer/x509/X509.cc      |   38 -
 src/file_analysis/analyzer/x509/X509.h       |    2 -
 src/iosource/Packet.cc                       |   65 -
 src/iosource/Packet.h                        |   16 -
 src/logging/WriterBackend.cc                 |   53 -
 src/logging/WriterBackend.h                  |    2 -
 src/main.cc                                  |   38 +-
 src/probabilistic/BitVector.cc               |   54 -
 src/probabilistic/BitVector.h                |   29 +-
 src/probabilistic/BloomFilter.cc             |   57 +-
 src/probabilistic/BloomFilter.h              |   29 +-
 src/probabilistic/CardinalityCounter.cc      |   46 -
 src/probabilistic/CardinalityCounter.h       |   19 -
 src/probabilistic/CounterVector.cc           |   41 +-
 src/probabilistic/CounterVector.h            |   32 +-
 src/probabilistic/Hasher.cc                  |   91 --
 src/probabilistic/Hasher.h                   |   14 +-
 src/probabilistic/Topk.cc                    |  106 --
 src/probabilistic/Topk.h                     |    2 -
 78 files changed, 58 insertions(+), 9185 deletions(-)
 delete mode 100644 src/ChunkedIO.cc
 delete mode 100644 src/ChunkedIO.h
 delete mode 100644 src/SerialObj.cc
 delete mode 100644 src/SerialObj.h
 delete mode 100644 src/Serializer.cc
 delete mode 100644 src/Serializer.h

diff --git a/src/Attr.cc b/src/Attr.cc
index a3d8d15e20..6d8217b060 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -4,7 +4,6 @@
 
 #include "Attr.h"
 #include "Expr.h"
-#include "Serializer.h"
 #include "threading/SerialTypes.h"
 
 const char* attr_name(attr_tag t)
@@ -531,70 +530,3 @@ bool Attributes::operator==(const Attributes& other) const
 	return true;
 	}
 
-bool Attributes::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Attributes* Attributes::Unserialize(UnserialInfo* info)
-	{
-	return (Attributes*) SerialObj::Unserialize(info, SER_ATTRIBUTES);
-	}
-
-IMPLEMENT_SERIAL(Attributes, SER_ATTRIBUTES);
-
-bool Attributes::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ATTRIBUTES, BroObj);
-
-	info->s->WriteOpenTag("Attributes");
-	assert(type);
-	if ( ! (type->Serialize(info) && SERIALIZE(attrs->length())) )
-		return false;
-
-	loop_over_list((*attrs), i)
-		{
-		Attr* a = (*attrs)[i];
-
-		Expr* e = a->AttrExpr();
-		SERIALIZE_OPTIONAL(e);
-
-		if ( ! SERIALIZE(char(a->Tag())) )
-			return false;
-		}
-
-	info->s->WriteCloseTag("Attributes");
-	return true;
-	}
-
-bool Attributes::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	type = BroType::Unserialize(info);
-	if ( ! type )
-		return false;
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	attrs = new attr_list(len);
-	while ( len-- )
-		{
-		Expr* e;
-		UNSERIALIZE_OPTIONAL(e, Expr::Unserialize(info))
-
-		char tag;
-		if ( ! UNSERIALIZE(&tag) )
-			{
-			delete e;
-			return false;
-			}
-
-		attrs->append(new Attr((attr_tag)tag, e));
-		}
-
-	return true;
-	}
-
diff --git a/src/Attr.h b/src/Attr.h
index 4a1110bc04..0400d44910 100644
--- a/src/Attr.h
+++ b/src/Attr.h
@@ -96,17 +96,12 @@ public:
 
 	attr_list* Attrs()	{ return attrs; }
 
-	bool Serialize(SerialInfo* info) const;
-	static Attributes* Unserialize(UnserialInfo* info);
-
 	bool operator==(const Attributes& other) const;
 
 protected:
 	Attributes() : type(), attrs(), in_record()	{ }
 	void CheckAttr(Attr* attr);
 
-	DECLARE_SERIAL(Attributes);
-
 	BroType* type;
 	attr_list* attrs;
 	bool in_record;
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index f09d0d224e..8839aec9a0 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -247,7 +247,6 @@ set(bro_SRCS
     Brofiler.cc
     BroString.cc
     CCL.cc
-    ChunkedIO.cc
     CompHash.cc
     Conn.cc
     ConvertUTF.c
@@ -302,8 +301,6 @@ set(bro_SRCS
     SmithWaterman.cc
     Scope.cc
     SerializationFormat.cc
-    SerialObj.cc
-    Serializer.cc
     Sessions.cc
     StateAccess.cc
     Stats.cc
diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc
deleted file mode 100644
index c57ab34dc8..0000000000
--- a/src/ChunkedIO.cc
+++ /dev/null
@@ -1,1357 +0,0 @@
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <signal.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <assert.h>
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-
-#include <algorithm>
-
-#include "bro-config.h"
-#include "ChunkedIO.h"
-#include "NetVar.h"
-
-ChunkedIO::ChunkedIO() : stats(), tag(), pure()
-	{
-	}
-
-void ChunkedIO::Stats(char* buffer, int length)
-	{
-	safe_snprintf(buffer, length,
-		      "bytes=%luK/%luK chunks=%lu/%lu io=%lu/%lu bytes/io=%.2fK/%.2fK",
-		      stats.bytes_read / 1024, stats.bytes_written / 1024,
-		      stats.chunks_read, stats.chunks_written,
-		      stats.reads, stats.writes,
-		      stats.bytes_read / (1024.0 * stats.reads),
-		      stats.bytes_written / (1024.0 * stats.writes));
-	}
-
-#ifdef DEBUG_COMMUNICATION
-
-void ChunkedIO::AddToBuffer(uint32 len, char* data, bool is_read)
-	{
-	Chunk* copy = new Chunk;
-	copy->len = len;
-	copy->data = new char[len];
-	memcpy(copy->data, data, len);
-
-	std::list<Chunk*>* l = is_read ? &data_read : &data_written;
-	l->push_back(copy);
-
-	if ( l->size() > DEBUG_COMMUNICATION )
-		{
-		Chunk* old = l->front();
-		l->pop_front();
-		delete [] old->data;
-		delete old;
-		}
-	}
-
-void ChunkedIO::AddToBuffer(Chunk* chunk, bool is_read)
-	{
-	AddToBuffer(chunk->len, chunk->data, is_read);
-	}
-
-void ChunkedIO::DumpDebugData(const char* basefnname, bool want_reads)
-	{
-	std::list<Chunk*>* l = want_reads ? &data_read : &data_written;
-
-	int count = 0;
-
-	for ( std::list<Chunk*>::iterator i = l->begin(); i != l->end(); ++i )
-		{
-		static char buffer[128];
-		snprintf(buffer, sizeof(buffer), "%s.%s.%d", basefnname,
-				 want_reads ? "read" : "write", ++count);
-		buffer[sizeof(buffer) - 1] = '\0';
-
-		int fd = open(buffer, O_WRONLY | O_CREAT | O_TRUNC, 0600);
-		if ( fd < 0 )
-			continue;
-
-		ChunkedIOFd io(fd, "dump-file");
-		io.Write(*i);
-		io.Flush();
-		safe_close(fd);
-		}
-
-	l->clear();
-	}
-
-#endif
-
-ChunkedIOFd::ChunkedIOFd(int arg_fd, const char* arg_tag, pid_t arg_pid)
-	{
-	int flags;
-
-	tag = arg_tag;
-	fd = arg_fd;
-	eof = 0;
-	last_flush = current_time();
-	failed_reads = 0;
-
-	if ( (flags = fcntl(fd, F_GETFL, 0)) < 0)
-		{
-		Log(fmt("can't obtain socket flags: %s", strerror(errno)));
-		exit(1);
-		}
-
-	if ( fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0 )
-		{
-		Log(fmt("can't set fd to non-blocking: %s (%d)",
-			  strerror(errno), getpid()));
-		exit(1);
-		}
-
-	read_buffer = new char[BUFFER_SIZE];
-	read_len = 0;
-	read_pos = 0;
-	partial = 0;
-	write_buffer = new char[BUFFER_SIZE];
-	write_len = 0;
-	write_pos = 0;
-
-	pending_head = 0;
-	pending_tail = 0;
-
-	pid = arg_pid;
-	}
-
-ChunkedIOFd::~ChunkedIOFd()
-	{
-	Clear();
-
-	delete [] read_buffer;
-	delete [] write_buffer;
-	safe_close(fd);
-	delete partial;
-	}
-
-bool ChunkedIOFd::Write(Chunk* chunk)
-	{
-#ifdef DEBUG
-	DBG_LOG(DBG_CHUNKEDIO, "write of size %d [%s]",
-		chunk->len, fmt_bytes(chunk->data, min((uint32)20, chunk->len)));
-#endif
-
-#ifdef DEBUG_COMMUNICATION
-	AddToBuffer(chunk, false);
-#endif
-
-	if ( chunk->len <= BUFFER_SIZE - sizeof(uint32) )
-		return WriteChunk(chunk, false);
-
-	// We have to split it up.
-	char* p = chunk->data;
-	uint32 left = chunk->len;
-
-	while ( left )
-		{
-		uint32 sz = min<uint32>(BUFFER_SIZE - sizeof(uint32), left);
-		Chunk* part = new Chunk(new char[sz], sz);
-
-		memcpy(part->data, p, part->len);
-		left -= part->len;
-		p += part->len;
-
-		if ( ! WriteChunk(part, left != 0) )
-			return false;
-		}
-
-	delete chunk;
-	return true;
-	}
-
-bool ChunkedIOFd::WriteChunk(Chunk* chunk, bool partial)
-	{
-	assert(chunk->len <= BUFFER_SIZE - sizeof(uint32) );
-
-	if ( chunk->len == 0 )
-		InternalError("attempt to write 0 bytes chunk");
-
-	if ( partial )
-		chunk->len |= FLAG_PARTIAL;
-
-	++stats.chunks_written;
-
-	// If it fits into the buffer, we're done (but keep care not
-	// to reorder chunks).
-	if ( ! pending_head && PutIntoWriteBuffer(chunk) )
-		return true;
-
-	// Otherwise queue it.
-	++stats.pending;
-	ChunkQueue* q = new ChunkQueue;
-	q->chunk = chunk;
-	q->next = 0;
-
-	if ( pending_tail )
-		{
-		pending_tail->next = q;
-		pending_tail = q;
-		}
-	else
-		pending_head = pending_tail = q;
-
-	write_flare.Fire();
-	return Flush();
-	}
-
-
-bool ChunkedIOFd::PutIntoWriteBuffer(Chunk* chunk)
-	{
-	uint32 len = chunk->len & ~FLAG_PARTIAL;
-
-	if ( write_len + len + (IsPure() ? 0 : sizeof(len)) > BUFFER_SIZE )
-		return false;
-
-	if ( ! IsPure() )
-		{
-		uint32 nlen = htonl(chunk->len);
-		memcpy(write_buffer + write_len, &nlen, sizeof(nlen));
-		write_len += sizeof(nlen);
-		}
-
-	memcpy(write_buffer + write_len, chunk->data, len);
-	write_len += len;
-
-	delete chunk;
-	write_flare.Fire();
-
-	if ( network_time - last_flush > 0.005 )
-		FlushWriteBuffer();
-
-	return true;
-	}
-
-bool ChunkedIOFd::FlushWriteBuffer()
-	{
-	last_flush = network_time;
-
-	while ( write_pos != write_len )
-		{
-		uint32 len = write_len - write_pos;
-
-		int written = write(fd, write_buffer + write_pos, len);
-
-		if ( written < 0 )
-			{
-			if ( errno == EPIPE )
-				eof = true;
-
-			if ( errno != EINTR )
-				// These errnos are equal on POSIX.
-				return errno == EWOULDBLOCK || errno == EAGAIN;
-
-			else
-				written = 0;
-			}
-
-		stats.bytes_written += written;
-		if ( written > 0 )
-			++stats.writes;
-
-		if ( unsigned(written) == len )
-			{
-			write_pos = write_len = 0;
-
-			if ( ! pending_head )
-				write_flare.Extinguish();
-
-			return true;
-			}
-
-		if ( written == 0 )
-			InternalError("written==0");
-
-		// Short write.
-		write_pos += written;
-		}
-
-	return true;
-	}
-
-bool ChunkedIOFd::OptionalFlush()
-	{
-	// This threshhold is quite arbitrary.
-//	if ( current_time() - last_flush > 0.01 )
-	return Flush();
-	}
-
-bool ChunkedIOFd::Flush()
-	{
-	// Try to write data out.
-	while ( pending_head )
-		{
-		if ( ! FlushWriteBuffer() )
-			return false;
-
-		// If we couldn't write the whole buffer, we stop here
-		// and try again next time.
-		if ( write_len > 0 )
-			return true;
-
-		// Put as many pending chunks into the buffer as possible.
-		while ( pending_head )
-			{
-			if ( ! PutIntoWriteBuffer(pending_head->chunk) )
-				break;
-
-			ChunkQueue* q = pending_head;
-			pending_head = pending_head->next;
-			if ( ! pending_head )
-				pending_tail = 0;
-
-			--stats.pending;
-			delete q;
-			}
-		}
-
-	bool rval = FlushWriteBuffer();
-
-	if ( ! pending_head && write_len == 0 )
-		write_flare.Extinguish();
-
-	return rval;
-	}
-
-uint32 ChunkedIOFd::ChunkAvailable()
-	{
-	int bytes_left = read_len - read_pos;
-
-	if ( bytes_left < int(sizeof(uint32)) )
-		return 0;
-
-	bytes_left -= sizeof(uint32);
-
-	// We have to copy the value here as it may not be
-	// aligned correctly in the data.
-	uint32 len;
-	memcpy(&len, read_buffer + read_pos, sizeof(len));
-	len = ntohl(len);
-
-	if ( uint32(bytes_left) < (len & ~FLAG_PARTIAL) )
-		return 0;
-
-	assert(len & ~FLAG_PARTIAL);
-
-	return len;
-	}
-
-ChunkedIO::Chunk* ChunkedIOFd::ExtractChunk()
-	{
-	uint32 len = ChunkAvailable();
-	uint32 real_len = len & ~FLAG_PARTIAL;
-	if ( ! real_len )
-		return 0;
-
-	read_pos += sizeof(uint32);
-
-	Chunk* chunk = new Chunk(new char[real_len], len);
-	memcpy(chunk->data, read_buffer + read_pos, real_len);
-	read_pos += real_len;
-
-	++stats.chunks_read;
-
-	return chunk;
-	}
-
-ChunkedIO::Chunk* ChunkedIOFd::ConcatChunks(Chunk* c1, Chunk* c2)
-	{
-	uint32 sz = c1->len + c2->len;
-	Chunk* c = new Chunk(new char[sz], sz);
-
-	memcpy(c->data, c1->data, c1->len);
-	memcpy(c->data + c1->len, c2->data, c2->len);
-
-	delete c1;
-	delete c2;
-
-	return c;
-	}
-
-void ChunkedIO::Log(const char* str)
-	{
-	//RemoteSerializer::Log(RemoteSerializer::LogError, str);
-	}
-
-bool ChunkedIOFd::Read(Chunk** chunk, bool may_block)
-	{
-	*chunk = 0;
-
-	// We will be called regularly. So take the opportunity
-	// to flush the write buffer once in a while.
-	OptionalFlush();
-
-	if ( ! ReadChunk(chunk, may_block) )
-		{
-#ifdef DEBUG_COMMUNICATION
-		AddToBuffer("<false:read-chunk>", true);
-#endif
-		if ( ! ChunkAvailable() )
-			read_flare.Extinguish();
-
-		return false;
-		}
-
-	if ( ! *chunk )
-		{
-#ifdef DEBUG_COMMUNICATION
-		AddToBuffer("<null:no-data>", true);
-#endif
-		read_flare.Extinguish();
-		return true;
-		}
-
-	if ( ChunkAvailable() )
-		read_flare.Fire();
-	else
-		read_flare.Extinguish();
-
-#ifdef DEBUG
-	if ( *chunk )
-		DBG_LOG(DBG_CHUNKEDIO, "read of size %d %s[%s]",
-				(*chunk)->len & ~FLAG_PARTIAL,
-				(*chunk)->len & FLAG_PARTIAL ? "(P) " : "",
-				fmt_bytes((*chunk)->data,
-						min((uint32)20, (*chunk)->len)));
-#endif
-
-	if ( ! ((*chunk)->len & FLAG_PARTIAL) )
-		{
-		if ( ! partial )
-			{
-#ifdef DEBUG_COMMUNICATION
-			AddToBuffer(*chunk, true);
-#endif
-			return true;
-			}
-		else
-			{
-			// This is the last chunk of an oversized one.
-			*chunk = ConcatChunks(partial, *chunk);
-			partial = 0;
-
-#ifdef DEBUG
-			if ( *chunk )
-				DBG_LOG(DBG_CHUNKEDIO,
-					"built virtual chunk of size %d [%s]",
-					(*chunk)->len,
-					fmt_bytes((*chunk)->data, 20));
-#endif
-
-#ifdef DEBUG_COMMUNICATION
-			AddToBuffer(*chunk, true);
-#endif
-			return true;
-			}
-		}
-
-	// This chunk is the non-last part of an oversized.
-	(*chunk)->len &= ~FLAG_PARTIAL;
-
-	if ( ! partial )
-		// First part of oversized chunk.
-		partial = *chunk;
-	else
-		partial = ConcatChunks(partial, *chunk);
-
-#ifdef DEBUG_COMMUNICATION
-	AddToBuffer("<null:partial>", true);
-#endif
-
-	*chunk = 0;
-	return true; // Read following part next time.
-	}
-
-bool ChunkedIOFd::ReadChunk(Chunk** chunk, bool may_block)
-	{
-	// We will be called regularly. So take the opportunity
-	// to flush the write buffer once in a while.
-	OptionalFlush();
-
-	*chunk = ExtractChunk();
-	if ( *chunk )
-		return true;
-
-	int bytes_left = read_len - read_pos;
-
-	// If we have a partial chunk left, move this to the head of
-	// the buffer.
-	if ( bytes_left )
-		memmove(read_buffer, read_buffer + read_pos, bytes_left);
-
-	read_pos = 0;
-	read_len = bytes_left;
-
-	if ( ! ChunkAvailable() )
-		read_flare.Extinguish();
-
-	// If allowed, wait a bit for something to read.
-	if ( may_block )
-		{
-		fd_set fd_read, fd_write, fd_except;
-
-		FD_ZERO(&fd_read);
-		FD_ZERO(&fd_write);
-		FD_ZERO(&fd_except);
-		FD_SET(fd, &fd_read);
-
-		struct timeval small_timeout;
-		small_timeout.tv_sec = 0;
-		small_timeout.tv_usec = 50;
-
-		select(fd + 1, &fd_read, &fd_write, &fd_except, &small_timeout);
-		}
-
-	// Make sure the process is still runnning
-	// (only checking for EPIPE after a read doesn't
-	// seem to be sufficient).
-	if ( pid && kill(pid, 0) < 0 && errno != EPERM )
-		{
-		eof = true;
-		errno = EPIPE;
-		return false;
-		}
-
-	// Try to fill the buffer.
-	while ( true )
-		{
-		int len = BUFFER_SIZE - read_len;
-		int read = ::read(fd, read_buffer + read_len, len);
-
-		if ( read < 0 )
-			{
-			if ( errno != EINTR )
-				{
-				// These errnos are equal on POSIX.
-				if ( errno == EWOULDBLOCK || errno == EAGAIN )
-					{
-					// Let's see if we have a chunk now --
-					// even if we time out, we may have read
-					// just enough in previous iterations!
-					*chunk = ExtractChunk();
-					++failed_reads;
-					return true;
-					}
-
-				if ( errno == EPIPE )
-					eof = true;
-
-				return false;
-				}
-
-			else
-				read = 0;
-			}
-
-		failed_reads = 0;
-
-		if ( read == 0 && len != 0 )
-			{
-			*chunk = ExtractChunk();
-			if ( *chunk )
-				return true;
-
-			eof = true;
-			return false;
-			}
-
-		read_len += read;
-
-		++stats.reads;
-		stats.bytes_read += read;
-
-		if ( read == len )
-			break;
-		}
-
-	// Let's see if we have a chunk now.
-	*chunk = ExtractChunk();
-
-	return true;
-	}
-
-bool ChunkedIOFd::CanRead()
-	{
-	// We will be called regularly. So take the opportunity
-	// to flush the write buffer once in a while.
-	OptionalFlush();
-
-	if ( ChunkAvailable() )
-		return true;
-
-	fd_set fd_read;
-	FD_ZERO(&fd_read);
-	FD_SET(fd, &fd_read);
-
-	struct timeval no_timeout;
-	no_timeout.tv_sec = 0;
-	no_timeout.tv_usec = 0;
-
-	return select(fd + 1, &fd_read, 0, 0, &no_timeout) > 0;
-	}
-
-bool ChunkedIOFd::CanWrite()
-	{
-	return pending_head != 0;
-	}
-
-bool ChunkedIOFd::IsIdle()
-	{
-	if ( pending_head || ChunkAvailable() )
-		return false;
-
-	if ( failed_reads > 0 )
-		return true;
-
-	return false;
-	}
-
-bool ChunkedIOFd::IsFillingUp()
-	{
-	return stats.pending > chunked_io_buffer_soft_cap;
-	}
-
-iosource::FD_Set ChunkedIOFd::ExtraReadFDs() const
-	{
-	iosource::FD_Set rval;
-	rval.Insert(write_flare.FD());
-	rval.Insert(read_flare.FD());
-	return rval;
-	}
-
-void ChunkedIOFd::Clear()
-	{
-	while ( pending_head )
-		{
-		ChunkQueue* next = pending_head->next;
-		delete pending_head->chunk;
-		delete pending_head;
-		pending_head = next;
-		}
-
-	pending_head = pending_tail = 0;
-
-	if ( write_len == 0 )
-		write_flare.Extinguish();
-	}
-
-const char* ChunkedIOFd::Error()
-	{
-	static char buffer[1024];
-	safe_snprintf(buffer, sizeof(buffer), "%s [%d]", strerror(errno), errno);
-
-	return buffer;
-	}
-
-void ChunkedIOFd::Stats(char* buffer, int length)
-	{
-	int i = safe_snprintf(buffer, length, "pending=%d ", stats.pending);
-	ChunkedIO::Stats(buffer + i, length - i);
-	}
-
-SSL_CTX* ChunkedIOSSL::ctx;
-
-ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server)
-	{
-	socket = arg_socket;
-	last_ret = 0;
-	eof = false;
-	setup = false;
-	server = arg_server;
-	ssl = 0;
-
-	write_state = LEN;
-	write_head = 0;
-	write_tail = 0;
-
-	read_state = LEN;
-	read_chunk = 0;
-	read_ptr = 0;
-	}
-
-ChunkedIOSSL::~ChunkedIOSSL()
-	{
-	if ( setup )
-		{
-		SSL_shutdown(ssl);
-
-		// We don't care if the other side closes properly.
-		setup = false;
-		}
-
-	if ( ssl )
-		{
-		SSL_free(ssl);
-		ssl = 0;
-		}
-
-	safe_close(socket);
-	}
-
-
-static int pem_passwd_cb(char* buf, int size, int rwflag, void* passphrase)
-	{
-	safe_strncpy(buf, (char*) passphrase, size);
-	buf[size - 1] = '\0';
-	return strlen(buf);
-	}
-
-bool ChunkedIOSSL::Init()
-	{
-	// If the handshake doesn't succeed immediately we will
-	// be called multiple times.
-	if ( ! ctx )
-		{
-		SSL_load_error_strings();
-
-		ctx = SSL_CTX_new(SSLv23_method());
-		if ( ! ctx )
-			{
-			Log("can't create SSL context");
-			return false;
-			}
-
-		// We access global variables here. But as they are
-		// declared const and we don't modify them this should
-		// be fine.
-		const char* key = ssl_private_key->AsString()->CheckString();
-
-		if ( ! (key && *key &&
-			SSL_CTX_use_certificate_chain_file(ctx, key)) )
-			{
-			Log(fmt("can't read certificate from file %s", key));
-			return false;
-			}
-
-		const char* passphrase =
-			ssl_passphrase->AsString()->CheckString();
-
-		if ( passphrase && ! streq(passphrase, "<undefined>") )
-			{
-			SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
-			SSL_CTX_set_default_passwd_cb_userdata(ctx,
-							(void*) passphrase);
-			}
-
-		if ( ! (key && *key &&
-			SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) )
-			{
-			Log(fmt("can't read private key from file %s", key));
-			return false;
-			}
-
-		const char* ca = ssl_ca_certificate->AsString()->CheckString();
-		if ( ! (ca && *ca && SSL_CTX_load_verify_locations(ctx, ca, 0)) )
-			{
-			Log(fmt("can't read CA certificate from file %s", ca));
-			return false;
-			}
-
-		// Only use real ciphers.
-		if ( ! SSL_CTX_set_cipher_list(ctx, "HIGH") )
-			{
-			Log("can't set cipher list");
-			return false;
-			}
-
-		// Require client certificate.
-		SSL_CTX_set_verify(ctx,
-			SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
-		}
-
-	int flags;
-
-	if ( (flags = fcntl(socket, F_GETFL, 0)) < 0)
-		{
-		Log(fmt("can't obtain socket flags: %s", strerror(errno)));
-		return false;
-		}
-
-	if ( fcntl(socket, F_SETFL, flags|O_NONBLOCK) < 0 )
-		{
-		Log(fmt("can't set socket to non-blocking: %s",
-			  strerror(errno)));
-		return false;
-		}
-
-	if ( ! ssl )
-		{
-		ssl = SSL_new(ctx);
-		if ( ! ssl )
-			{
-			Log("can't create SSL object");
-			return false;
-			}
-
-		BIO* bio = BIO_new_socket(socket, BIO_NOCLOSE);
-		BIO_set_nbio(bio, 1);
-		SSL_set_bio(ssl, bio, bio);
-		}
-
-	int success;
-	if ( server )
-		success = last_ret = SSL_accept(ssl);
-	else
-		success = last_ret = SSL_connect(ssl);
-
-	if ( success > 0 )
-		{ // handshake done
-		setup = true;
-		return true;
-		}
-
-	int error = SSL_get_error(ssl, success);
-
-	if ( success <= 0 &&
-	     (error == SSL_ERROR_WANT_WRITE || error == SSL_ERROR_WANT_READ) )
-		// Handshake not finished yet, but that's ok for now.
-		return true;
-
-	// Some error.
-	eof = true;
-	return false;
-	}
-
-bool ChunkedIOSSL::Write(Chunk* chunk)
-	{
-#ifdef DEBUG
-	DBG_LOG(DBG_CHUNKEDIO, "ssl write of size %d [%s]",
-		chunk->len, fmt_bytes(chunk->data, 20));
-#endif
-
-	// Queue it.
-	++stats.pending;
-	Queue* q = new Queue;
-	q->chunk = chunk;
-	q->next = 0;
-
-	// Temporarily convert len into network byte order.
-	chunk->len = htonl(chunk->len);
-
-	if ( write_tail )
-		{
-		write_tail->next = q;
-		write_tail = q;
-		}
-	else
-		write_head = write_tail = q;
-
-	write_flare.Fire();
-	Flush();
-	return true;
-	}
-
-bool ChunkedIOSSL::WriteData(char* p, uint32 len, bool* error)
-	{
-	*error = false;
-
-	double t = current_time();
-
-	int written = last_ret = SSL_write(ssl, p, len);
-
-	switch ( SSL_get_error(ssl, written) ) {
-		case SSL_ERROR_NONE:
-			// SSL guarantees us that all bytes have been written.
-			// That's nice. :-)
-			return true;
-
-		case SSL_ERROR_WANT_READ:
-		case SSL_ERROR_WANT_WRITE:
-			// Would block.
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_write: SSL_ERROR_WANT_READ [%d,%d]",
-				written, SSL_get_error(ssl, written));
-			*error = false;
-			return false;
-
-		case SSL_ERROR_ZERO_RETURN:
-			// Regular remote connection shutdown.
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_write: SSL_ZERO_RETURN [%d,%d]",
-				written, SSL_get_error(ssl, written));
-			*error = eof = true;
-			return false;
-
-		case SSL_ERROR_SYSCALL:
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_write: SSL_SYS_CALL [%d,%d]",
-				written, SSL_get_error(ssl, written));
-
-			if ( written == 0 )
-				{
-				// Socket connection closed.
-				*error = eof = true;
-				return false;
-				}
-
-			// Fall through.
-
-		default:
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_write: fatal error [%d,%d]",
-				written, SSL_get_error(ssl, written));
-			// Fatal SSL error.
-			*error = true;
-			return false;
-	}
-
-	InternalError("can't be reached");
-	return false;
-	}
-
-bool ChunkedIOSSL::Flush()
-	{
-	if ( ! setup )
-		{
-		// We may need to finish the handshake.
-		if ( ! Init() )
-			return false;
-		if ( ! setup )
-			return true;
-		}
-
-	while ( write_head )
-		{
-		bool error;
-
-		Chunk* c = write_head->chunk;
-
-		if ( write_state == LEN )
-			{
-			if ( ! WriteData((char*)&c->len, sizeof(c->len), &error) )
-				return ! error;
-			write_state = DATA;
-
-			// Convert back from network byte order.
-			c->len = ntohl(c->len);
-			}
-
-		if ( ! WriteData(c->data, c->len, &error) )
-			return ! error;
-
-		// Chunk written, throw away.
-		Queue* q = write_head;
-		write_head = write_head->next;
-		if ( ! write_head )
-			write_tail = 0;
-		--stats.pending;
-		delete q;
-
-		delete c;
-
-		write_state = LEN;
-		}
-
-	write_flare.Extinguish();
-	return true;
-	}
-
-bool ChunkedIOSSL::ReadData(char* p, uint32 len, bool* error)
-	{
-	if ( ! read_ptr )
-		read_ptr = p;
-
-	while ( true )
-		{
-		double t = current_time();
-
-		int read = last_ret =
-			SSL_read(ssl, read_ptr, len - (read_ptr - p));
-
-		switch ( SSL_get_error(ssl, read) ) {
-		case SSL_ERROR_NONE:
-			// We're fine.
-			read_ptr += read;
-
-			if ( unsigned(read_ptr - p) == len )
-				{
-				// We have read as much as requested..
-				read_ptr = 0;
-				*error = false;
-				return true;
-				}
-
-			break;
-
-		case SSL_ERROR_WANT_READ:
-		case SSL_ERROR_WANT_WRITE:
-			// Would block.
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_read: SSL_ERROR_WANT_READ [%d,%d]",
-				read, SSL_get_error(ssl, read));
-			*error = false;
-			return false;
-
-		case SSL_ERROR_ZERO_RETURN:
-			// Regular remote connection shutdown.
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_read: SSL_ZERO_RETURN [%d,%d]",
-				read, SSL_get_error(ssl, read));
-			*error = eof = true;
-			return false;
-
-		case SSL_ERROR_SYSCALL:
-			DBG_LOG(DBG_CHUNKEDIO, "SSL_read: SSL_SYS_CALL [%d,%d]",
-				read, SSL_get_error(ssl, read));
-
-			if ( read == 0 )
-				{
-				// Socket connection closed.
-				*error = eof = true;
-				return false;
-				}
-
-			// Fall through.
-
-		default:
-			DBG_LOG(DBG_CHUNKEDIO,
-				"SSL_read: fatal error [%d,%d]",
-				read, SSL_get_error(ssl, read));
-
-			// Fatal SSL error.
-			*error = true;
-			return false;
-		}
-		}
-
-	// Can't be reached.
-	InternalError("can't be reached");
-	return false;
-	}
-
-bool ChunkedIOSSL::Read(Chunk** chunk, bool mayblock)
-	{
-	*chunk = 0;
-
-	if ( ! setup )
-		{
-		// We may need to finish the handshake.
-		if ( ! Init() )
-			return false;
-		if ( ! setup )
-			return true;
-		}
-
-	bool error;
-
-	Flush();
-
-	if ( read_state == LEN )
-		{
-		if ( ! read_chunk )
-			{
-			read_chunk = new Chunk;
-			read_chunk->data = 0;
-			}
-
-		if ( ! ReadData((char*)&read_chunk->len,
-				sizeof(read_chunk->len),
-				&error) )
-			return ! error;
-
-		read_state = DATA;
-		read_chunk->len = ntohl(read_chunk->len);
-		}
-
-	if ( ! read_chunk->data )
-		{
-		read_chunk->data = new char[read_chunk->len];
-		read_chunk->free_func = Chunk::free_func_delete;
-		}
-
-	if ( ! ReadData(read_chunk->data, read_chunk->len, &error) )
-		return ! error;
-
-	// Chunk fully read. Pass it on.
-	*chunk = read_chunk;
-	read_chunk = 0;
-	read_state = LEN;
-
-#ifdef DEBUG
-	DBG_LOG(DBG_CHUNKEDIO, "ssl read of size %d [%s]",
-		(*chunk)->len, fmt_bytes((*chunk)->data, 20));
-#endif
-
-	return true;
-	}
-
-bool ChunkedIOSSL::CanRead()
-	{
-	// We will be called regularly. So take the opportunity
-	// to flush the write buffer.
-	Flush();
-
-	if ( SSL_pending(ssl) )
-		return true;
-
-	fd_set fd_read;
-	FD_ZERO(&fd_read);
-	FD_SET(socket, &fd_read);
-
-	struct timeval notimeout;
-	notimeout.tv_sec = 0;
-	notimeout.tv_usec = 0;
-
-	return select(socket + 1, &fd_read, NULL, NULL, &notimeout) > 0;
-	}
-
-bool ChunkedIOSSL::CanWrite()
-	{
-	return write_head != 0;
-	}
-
-bool ChunkedIOSSL::IsIdle()
-	{
-	return ! (CanRead() || CanWrite());
-	}
-
-bool ChunkedIOSSL::IsFillingUp()
-	{
-	// We don't really need this at the moment (since SSL is only used for
-	// peer-to-peer communication). Thus, we always return false for now.
-	return false;
-	}
-
-iosource::FD_Set ChunkedIOSSL::ExtraReadFDs() const
-	{
-	iosource::FD_Set rval;
-	rval.Insert(write_flare.FD());
-	return rval;
-	}
-
-void ChunkedIOSSL::Clear()
-	{
-	while ( write_head )
-		{
-		Queue* next = write_head->next;
-		delete write_head->chunk;
-		delete write_head;
-		write_head = next;
-		}
-	write_head = write_tail = 0;
-	write_flare.Extinguish();
-	}
-
-const char* ChunkedIOSSL::Error()
-	{
-	const int BUFLEN = 512;
-	static char buffer[BUFLEN];
-
-	int sslcode = SSL_get_error(ssl, last_ret);
-	int errcode = ERR_get_error();
-
-	int count = safe_snprintf(buffer, BUFLEN, "[%d,%d,%d] SSL error: ",
-					errcode, sslcode, last_ret);
-
-	if ( errcode )
-		ERR_error_string_n(errcode, buffer + count, BUFLEN - count);
-
-	else if ( sslcode == SSL_ERROR_SYSCALL )
-		{
-		if ( last_ret )
-			// Look at errno.
-			safe_snprintf(buffer + count, BUFLEN - count,
-					"syscall: %s", strerror(errno));
-		else
-			// Errno is not valid in this case.
-			safe_strncpy(buffer + count,
-					"syscall: unexpected end-of-file",
-					BUFLEN - count);
-		}
-	else
-		safe_strncpy(buffer + count, "unknown error", BUFLEN - count);
-
-	return buffer;
-	}
-
-void ChunkedIOSSL::Stats(char* buffer, int length)
-	{
-	int i = safe_snprintf(buffer, length, "pending=%ld ", stats.pending);
-	ChunkedIO::Stats(buffer + i, length - i);
-	}
-
-bool CompressedChunkedIO::Init()
-	{
-	zin.zalloc = 0;
-	zin.zfree = 0;
-	zin.opaque = 0;
-
-	zout.zalloc = 0;
-	zout.zfree = 0;
-	zout.opaque = 0;
-
-	compress = uncompress = false;
-	error = 0;
-	uncompressed_bytes_read	= 0;
-	uncompressed_bytes_written = 0;
-
-	return true;
-	}
-
-bool CompressedChunkedIO::Read(Chunk** chunk, bool may_block)
-	{
-	if ( ! io->Read(chunk, may_block) )
-		return false;
-
-	if ( ! uncompress )
-		return true;
-
-	if ( ! *chunk )
-		return true;
-
-	uint32 uncompressed_len =
-		*(uint32*)((*chunk)->data + (*chunk)->len - sizeof(uint32));
-
-	if ( uncompressed_len == 0 )
-		{
-		// Not compressed.
-		DBG_LOG(DBG_CHUNKEDIO, "zlib read pass-through: size=%d",
-			(*chunk)->len);
-		return true;
-		}
-
-	char* uncompressed = new char[uncompressed_len];
-
-	DBG_LOG(DBG_CHUNKEDIO, "zlib read: size=%d uncompressed=%d",
-		(*chunk)->len, uncompressed_len);
-
-	zin.next_in = (Bytef*) (*chunk)->data;
-	zin.avail_in = (*chunk)->len - sizeof(uint32);
-	zin.next_out = (Bytef*) uncompressed;
-	zin.avail_out = uncompressed_len;
-
-	if ( inflate(&zin, Z_SYNC_FLUSH) != Z_OK )
-		{
-		error = zin.msg;
-		return false;
-		}
-
-	if ( zin.avail_in > 0 )
-		{
-		error = "compressed data longer than expected";
-		return false;
-		}
-
-	(*chunk)->free_func((*chunk)->data);
-
-	uncompressed_bytes_read += uncompressed_len;
-
-	(*chunk)->len = uncompressed_len;
-	(*chunk)->data = uncompressed;
-	(*chunk)->free_func = Chunk::free_func_delete;
-
-	return true;
-	}
-
-bool CompressedChunkedIO::Write(Chunk* chunk)
-	{
-	if ( (! compress) || IsPure() )
-		// No compression.
-		return io->Write(chunk);
-
-	// We compress block-wise (rather than stream-wise) because:
-	//
-	// (1) it's significantly easier to implement due to our block-oriented
-	// communication model (with a stream compression, we'd need to chop
-	// the stream into blocks during decompression which would require
-	// additional buffering and copying).
-	//
-	// (2) it ensures that we do not introduce any additional latencies (a
-	// stream compression may decide to wait for the next chunk of data
-	// before writing anything out).
-	//
-	// The block-wise compression comes at the cost of a smaller compression
-	// factor.
-	//
-	// A compressed chunk's data looks like this:
-	//   char[] compressed data
-	//   uint32 uncompressed_length
-	//
-	// By including uncompressed_length, we again trade easier
-	// decompression for a smaller reduction factor. If uncompressed_length
-	// is zero, the data is *not* compressed.
-
-	uncompressed_bytes_written += chunk->len;
-	uint32 original_size = chunk->len;
-
-	char* compressed = new char[chunk->len + sizeof(uint32)];
-
-	if ( chunk->len < MIN_COMPRESS_SIZE )
-		{
-		// Too small; not worth any compression.
-		memcpy(compressed, chunk->data, chunk->len);
-		*(uint32*) (compressed + chunk->len) = 0; // uncompressed_length
-
-		chunk->free_func(chunk->data);
-		chunk->data = compressed;
-		chunk->free_func = Chunk::free_func_delete;
-		chunk->len += 4;
-
-		DBG_LOG(DBG_CHUNKEDIO, "zlib write pass-through: size=%d", chunk->len);
-		}
-	else
-		{
-		zout.next_in = (Bytef*) chunk->data;
-		zout.avail_in = chunk->len;
-		zout.next_out = (Bytef*) compressed;
-		zout.avail_out = chunk->len;
-
-		if ( deflate(&zout, Z_SYNC_FLUSH) != Z_OK )
-			{
-			error = zout.msg;
-			return false;
-			}
-
-		while ( zout.avail_out == 0 )
-			{
-			// D'oh! Not enough space, i.e., it hasn't got smaller.
-			char* old = compressed;
-			int old_size = (char*) zout.next_out - compressed;
-			int new_size = old_size * 2 + sizeof(uint32);
-
-			compressed = new char[new_size];
-			memcpy(compressed, old, old_size);
-			delete [] old;
-
-			zout.next_out = (Bytef*) (compressed + old_size);
-			zout.avail_out = old_size; // Sic! We doubled.
-
-			if ( deflate(&zout, Z_SYNC_FLUSH) != Z_OK )
-				{
-				error = zout.msg;
-				return false;
-				}
-			}
-
-		*(uint32*) zout.next_out = original_size; // uncompressed_length
-
-		chunk->free_func(chunk->data);
-		chunk->data = compressed;
-		chunk->free_func = Chunk::free_func_delete;
-		chunk->len =
-			((char*) zout.next_out - compressed) + sizeof(uint32);
-
-		DBG_LOG(DBG_CHUNKEDIO, "zlib write: size=%d compressed=%d",
-			original_size, chunk->len);
-		}
-
-	return io->Write(chunk);
-	}
-
-void CompressedChunkedIO::Stats(char* buffer, int length)
-	{
-	const Statistics* stats = io->Stats();
-
-	int i = snprintf(buffer, length, "compression=%.2f/%.2f ",
-			uncompressed_bytes_read ? double(stats->bytes_read) / uncompressed_bytes_read : -1,
-			uncompressed_bytes_written ? double(stats->bytes_written) / uncompressed_bytes_written : -1 );
-
-	io->Stats(buffer + i, length - i);
-	buffer[length-1] = '\0';
-	}
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
deleted file mode 100644
index e9b41476df..0000000000
--- a/src/ChunkedIO.h
+++ /dev/null
@@ -1,362 +0,0 @@
-// Implements non-blocking chunk-wise I/O.
-
-#ifndef CHUNKEDIO_H
-#define CHUNKEDIO_H
-
-#include "bro-config.h"
-#include "List.h"
-#include "util.h"
-#include "Flare.h"
-#include "iosource/FD_Set.h"
-#include <list>
-
-#ifdef NEED_KRB5_H
-# include <krb5.h>
-#endif
-
-class CompressedChunkedIO;
-
-// #define DEBUG_COMMUNICATION 10
-
-// Abstract base class.
-class ChunkedIO {
-public:
-	ChunkedIO();
-	virtual ~ChunkedIO()	{ }
-
-	struct Chunk {
-		typedef void (*FreeFunc)(char*);
-		static void free_func_free(char* data)	{ free(data); }
-		static void free_func_delete(char* data)	{ delete [] data; }
-
-		Chunk()
-		    : data(), len(), free_func(free_func_delete)
-			{ }
-
-		// Takes ownership of data.
-		Chunk(char* arg_data, uint32 arg_len,
-		      FreeFunc arg_ff = free_func_delete)
-			: data(arg_data), len(arg_len), free_func(arg_ff)
-			{ }
-
-		~Chunk()
-			{ free_func(data); }
-
-		char* data;
-		uint32 len;
-		FreeFunc free_func;
-	};
-
-	// Initialization before any I/O operation is performed. Returns false
-	// on any form of error.
-	virtual bool Init()	{ return true; }
-
-	// Tries to read the next chunk of data. If it can be read completely,
-	// a pointer to it is returned in 'chunk' (ownership of chunk is
-	// passed).  If not, 'chunk' is set to nil.  Returns false if any
-	// I/O error occurred (use Eof() to see if it's an end-of-file).
-	// If 'may_block' is true, we explicitly allow blocking.
-	virtual bool Read(Chunk** chunk, bool may_block = false) = 0;
-
-	// Puts the chunk into the write queue and writes as much data
-	// as possible (takes ownership of chunk).
-	// Returns false on any I/O error.
-	virtual bool Write(Chunk* chunk) = 0;
-
-	// Tries to write as much as currently possible.
-	// Returns false on any I/O error.
-	virtual bool Flush() = 0;
-
-	// If an I/O error has been encountered, returns a string describing it.
-	virtual const char* Error() = 0;
-
-	// Return true if there is currently at least one chunk available
-	// for reading.
-	virtual bool CanRead() = 0;
-
-	// Return true if there is currently at least one chunk waiting to be
-	// written.
-	virtual bool CanWrite() = 0;
-
-	// Returns true if source believes that there won't be much data soon.
-	virtual bool IsIdle() = 0;
-
-	// Returns true if internal write buffers are about to fill up.
-	virtual bool IsFillingUp() = 0;
-
-	// Throws away buffered data.
-	virtual void Clear() = 0;
-
-	// Returns true,if end-of-file has been reached.
-	virtual bool Eof() = 0;
-
-	// Returns underlying fd if available, -1 otherwise.
-	virtual int Fd()	{ return -1; }
-
-	// Returns supplementary file descriptors that become read-ready in order
-	// to signal that there is some work that can be performed.
-	virtual iosource::FD_Set ExtraReadFDs() const
-		{ return iosource::FD_Set(); }
-
-	// Makes sure that no additional protocol data is written into
-	// the output stream.  If this is activated, the output cannot
-	// be read again by any of these classes!
-	void MakePure()	{ pure = true; }
-	bool IsPure()	{ return pure; }
-
-	// Writes a log message to the error_fd.
-	void Log(const char* str);
-
-	struct Statistics {
-		Statistics()
-			{
-			bytes_read = 0;
-			bytes_written = 0;
-			chunks_read = 0;
-			chunks_written = 0;
-			reads = 0;
-			writes = 0;
-			pending = 0;
-			}
-
-		unsigned long bytes_read;
-		unsigned long bytes_written;
-		unsigned long chunks_read;
-		unsigned long chunks_written;
-		unsigned long reads;	// # calls which transferred > 0 bytes
-		unsigned long writes;
-		unsigned long pending;
-		};
-
-	// Returns raw statistics.
-	const Statistics* Stats() const 	{ return &stats; }
-
-	// Puts a formatted string containing statistics into buffer.
-	virtual void Stats(char* buffer, int length);
-
-#ifdef DEBUG_COMMUNICATION
-	void DumpDebugData(const char* basefnname, bool want_reads);
-#endif
-
-protected:
-	void InternalError(const char* msg)
-		// We can't use the reporter here as we might be running in a
-		// sub-process.
-		{ fprintf(stderr, "%s", msg); abort(); }
-
-	Statistics stats;
-	const char* tag;
-
-#ifdef DEBUG_COMMUNICATION
-	void AddToBuffer(char* data, bool is_read)
-		{ AddToBuffer(strlen(data), data, is_read); }
-	void AddToBuffer(uint32 len, char* data, bool is_read);
-	void AddToBuffer(Chunk* chunk, bool is_read);
-	std::list<Chunk*> data_read;
-	std::list<Chunk*> data_written;
-#endif
-
-private:
-	bool pure;
-};
-
-// Chunked I/O using a file descriptor.
-class ChunkedIOFd : public ChunkedIO {
-public:
-	// fd is an open bidirectional file descriptor, tag is used in error
-	// messages, and pid gives a pid to monitor (if the process dies, we
-	// return EOF).
-	ChunkedIOFd(int fd, const char* tag, pid_t pid = 0);
-	~ChunkedIOFd() override;
-
-	bool Read(Chunk** chunk, bool may_block = false) override;
-	bool Write(Chunk* chunk) override;
-	bool Flush() override;
-	const char* Error() override;
-	bool CanRead() override;
-	bool CanWrite() override;
-	bool IsIdle() override;
-	bool IsFillingUp() override;
-	void Clear() override;
-	bool Eof() override { return eof; }
-	int Fd() override { return fd; }
-	iosource::FD_Set ExtraReadFDs() const override;
-	void Stats(char* buffer, int length) override;
-
-private:
-
-	bool PutIntoWriteBuffer(Chunk* chunk);
-	bool FlushWriteBuffer();
-	Chunk* ExtractChunk();
-
-	// Returns size of next chunk in buffer or 0 if none.
-	uint32 ChunkAvailable();
-
-	// Flushes if it thinks it is time to.
-	bool OptionalFlush();
-
-	// Concatenates the the data of the two chunks forming a new one.
-	// The old chunkds are deleted.
-	Chunk* ConcatChunks(Chunk* c1, Chunk* c2);
-
-	// Reads/writes on chunk of upto BUFFER_SIZE bytes.
-	bool WriteChunk(Chunk* chunk, bool partial);
-	bool ReadChunk(Chunk** chunk, bool may_block);
-
-	int fd;
-	bool eof;
-	double last_flush;
-	int failed_reads;
-
-	// Optimally, this should match the file descriptor's
-	// buffer size (for sockets, it may be helpful to
-	// increase the send/receive buffers).
-	static const unsigned int BUFFER_SIZE = 1024 * 1024 * 1;
-
-	// We 'or' this to the length of a data chunk to mark
-	// that it's part of a larger one. This has to be larger
-	// than BUFFER_SIZE.
-	static const uint32 FLAG_PARTIAL = 0x80000000;
-
-	char* read_buffer;
-	uint32 read_len;
-	uint32 read_pos;
-	Chunk* partial;	// when we read an oversized chunk, we store it here
-
-	char* write_buffer;
-	uint32 write_len;
-	uint32 write_pos;
-
-	struct ChunkQueue {
-		Chunk* chunk;
-		ChunkQueue* next;
-	};
-
-	// Chunks that don't fit into our write buffer.
-	ChunkQueue* pending_head;
-	ChunkQueue* pending_tail;
-
-	pid_t pid;
-	bro::Flare write_flare;
-	bro::Flare read_flare;
-};
-
-// From OpenSSL. We forward-declare these here to avoid introducing a
-// dependency on OpenSSL headers just for this header file.
-typedef struct ssl_ctx_st SSL_CTX;
-typedef struct ssl_st SSL;
-
-// Chunked I/O using an SSL connection.
-class ChunkedIOSSL : public ChunkedIO {
-public:
-	// Argument is an open socket and a flag indicating whether we are the
-	// server side of the connection.
-	ChunkedIOSSL(int socket, bool server);
-	~ChunkedIOSSL() override;
-
-	bool Init() override;
-	bool Read(Chunk** chunk, bool mayblock = false) override;
-	bool Write(Chunk* chunk) override;
-	bool Flush() override;
-	const char* Error() override;
-	bool CanRead() override;
-	bool CanWrite() override;
-	bool IsIdle() override;
-	bool IsFillingUp() override;
-	void Clear() override;
-	bool Eof() override { return eof; }
-	int Fd() override { return socket; }
-	iosource::FD_Set ExtraReadFDs() const override;
-	void Stats(char* buffer, int length) override;
-
-private:
-
-	// Only returns true if all data has been read. If not, call
-	// it again with the same parameters as long as error is not
-	// set to true.
-	bool ReadData(char* p, uint32 len, bool* error);
-	// Same for writing.
-	bool WriteData(char* p, uint32 len, bool* error);
-
-	int socket;
-	int last_ret;	// last error code
-	bool eof;
-
-	bool server;	// are we the server?
-	bool setup;	// has the connection been setup successfully?
-
-	SSL* ssl;
-
-	// Write queue.
-	struct Queue {
-		Chunk* chunk;
-		Queue* next;
-	};
-
-	// The chunk part we are reading/writing
-	enum State { LEN, DATA };
-
-	State write_state;
-	Queue* write_head;
-	Queue* write_tail;
-
-	State read_state;
-	Chunk* read_chunk;
-	char* read_ptr;
-
-	// One SSL for all connections.
-	static SSL_CTX* ctx;
-
-	bro::Flare write_flare;
-};
-
-#include <zlib.h>
-
-// Wrapper class around a another ChunkedIO which the (un-)compresses data.
-class CompressedChunkedIO : public ChunkedIO {
-public:
-	explicit CompressedChunkedIO(ChunkedIO* arg_io) // takes ownership
-	    : io(arg_io), zin(), zout(), error(), compress(), uncompress(),
-	      uncompressed_bytes_read(), uncompressed_bytes_written() {}
-	~CompressedChunkedIO() override { delete io; }
-
-	bool Init() override; // does *not* call arg_io->Init()
-	bool Read(Chunk** chunk, bool may_block = false) override;
-	bool Write(Chunk* chunk) override;
-	bool Flush() override { return io->Flush(); }
-	const char* Error() override { return error ? error : io->Error(); }
-	bool CanRead() override { return io->CanRead(); }
-	bool CanWrite() override { return io->CanWrite(); }
-	bool IsIdle() override { return io->IsIdle(); }
-	bool IsFillingUp() override { return io->IsFillingUp(); }
-	void Clear() override { return io->Clear(); }
-	bool Eof() override { return io->Eof(); }
-
-	int Fd() override { return io->Fd(); }
-	iosource::FD_Set ExtraReadFDs() const override
-		{ return io->ExtraReadFDs(); }
-	void Stats(char* buffer, int length) override;
-
-	void EnableCompression(int level)
-		{ deflateInit(&zout, level); compress = true; }
-	void EnableDecompression()
-		{ inflateInit(&zin); uncompress = true; }
-
-protected:
-	// Only compress block with size >= this.
-	static const unsigned int MIN_COMPRESS_SIZE = 30;
-
-	ChunkedIO* io;
-	z_stream zin;
-	z_stream zout;
-	const char* error;
-
-	bool compress;
-	bool uncompress;
-
-	// Keep some statistics.
-	unsigned long uncompressed_bytes_read;
-	unsigned long uncompressed_bytes_written;
-};
-
-#endif
diff --git a/src/Conn.cc b/src/Conn.cc
index d607550e8a..ae79ac4deb 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -50,70 +50,10 @@ void ConnectionTimer::Dispatch(double t, int is_expire)
 		reporter->InternalError("reference count inconsistency in ConnectionTimer::Dispatch");
 	}
 
-IMPLEMENT_SERIAL(ConnectionTimer, SER_CONNECTION_TIMER);
-
-bool ConnectionTimer::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CONNECTION_TIMER, Timer);
-
-	// We enumerate all the possible timer functions here ... This
-	// has to match the list is DoUnserialize()!
-	char type = 0;
-
-	if ( timer == timer_func(&Connection::DeleteTimer) )
-		type = 1;
-	else if ( timer == timer_func(&Connection::InactivityTimer) )
-		type = 2;
-	else if ( timer == timer_func(&Connection::StatusUpdateTimer) )
-		type = 3;
-	else if ( timer == timer_func(&Connection::RemoveConnectionTimer) )
-		type = 4;
-	else
-		reporter->InternalError("unknown function in ConnectionTimer::DoSerialize()");
-
-	return conn->Serialize(info) && SERIALIZE(type) && SERIALIZE(do_expire);
-	}
-
-bool ConnectionTimer::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Timer);
-
-	conn = Connection::Unserialize(info);
-	if ( ! conn )
-		return false;
-
-	char type;
-
-	if ( ! UNSERIALIZE(&type) || ! UNSERIALIZE(&do_expire) )
-		return false;
-
-	switch ( type ) {
-	case 1:
-		timer = timer_func(&Connection::DeleteTimer);
-		break;
-	case 2:
-		timer = timer_func(&Connection::InactivityTimer);
-		break;
-	case 3:
-		timer = timer_func(&Connection::StatusUpdateTimer);
-		break;
-	case 4:
-		timer = timer_func(&Connection::RemoveConnectionTimer);
-		break;
-	default:
-		info->s->Error("unknown connection timer function");
-		return false;
-	}
-
-	return true;
-	}
-
 uint64 Connection::total_connections = 0;
 uint64 Connection::current_connections = 0;
 uint64 Connection::external_connections = 0;
 
-IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
-
 Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
                        uint32 flow, const Packet* pkt,
 		       const EncapsulationStack* arg_encap)
@@ -900,139 +840,6 @@ void Connection::IDString(ODesc* d) const
 	d->Add(ntohs(resp_port));
 	}
 
-bool Connection::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Connection* Connection::Unserialize(UnserialInfo* info)
-	{
-	return (Connection*) SerialObj::Unserialize(info, SER_CONNECTION);
-	}
-
-bool Connection::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CONNECTION, BroObj);
-
-	// First we write the members which are needed to
-	// create the HashKey.
-	if ( ! SERIALIZE(orig_addr) || ! SERIALIZE(resp_addr) )
-		return false;
-
-	if ( ! SERIALIZE(orig_port) || ! SERIALIZE(resp_port) )
-		return false;
-
-	if ( ! SERIALIZE(timers.length()) )
-		return false;
-
-	loop_over_list(timers, i)
-		if ( ! timers[i]->Serialize(info) )
-			return false;
-
-	SERIALIZE_OPTIONAL(conn_val);
-
-	// FIXME: RuleEndpointState not yet serializable.
-	// FIXME: Analyzers not yet serializable.
-
-	return
-		SERIALIZE(int(proto)) &&
-		SERIALIZE(history) &&
-		SERIALIZE(hist_seen) &&
-		SERIALIZE(start_time) &&
-		SERIALIZE(last_time) &&
-		SERIALIZE(inactivity_timeout) &&
-		SERIALIZE(suppress_event) &&
-		SERIALIZE(login_conn != 0) &&
-		SERIALIZE_BIT(installed_status_timer) &&
-		SERIALIZE_BIT(timers_canceled) &&
-		SERIALIZE_BIT(is_active) &&
-		SERIALIZE_BIT(skip) &&
-		SERIALIZE_BIT(weird) &&
-		SERIALIZE_BIT(finished) &&
-		SERIALIZE_BIT(record_packets) &&
-		SERIALIZE_BIT(record_contents);
-	}
-
-bool Connection::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	// Build the hash key first. Some of the recursive *::Unserialize()
-	// functions may need it.
-	ConnID id;
-
-	if ( ! UNSERIALIZE(&orig_addr) || ! UNSERIALIZE(&resp_addr) )
-		goto error;
-
-	if ( ! UNSERIALIZE(&orig_port) || ! UNSERIALIZE(&resp_port) )
-		goto error;
-
-	id.src_addr = orig_addr;
-	id.dst_addr = resp_addr;
-	// This doesn't work for ICMP. But I guess this is not really important.
-	id.src_port = orig_port;
-	id.dst_port = resp_port;
-	id.is_one_way = 0;	// ### incorrect for ICMP
-	key = BuildConnIDHashKey(id);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		goto error;
-
-	while ( len-- )
-		{
-		Timer* t = Timer::Unserialize(info);
-		if ( ! t )
-			goto error;
-		timers.append(t);
-		}
-
-	UNSERIALIZE_OPTIONAL(conn_val,
-			(RecordVal*) Val::Unserialize(info, connection_type));
-
-	int iproto;
-
-	if ( ! (UNSERIALIZE(&iproto) &&
-		UNSERIALIZE(&history) &&
-		UNSERIALIZE(&hist_seen) &&
-		UNSERIALIZE(&start_time) &&
-		UNSERIALIZE(&last_time) &&
-		UNSERIALIZE(&inactivity_timeout) &&
-		UNSERIALIZE(&suppress_event)) )
-		goto error;
-
-	proto = static_cast<TransportProto>(iproto);
-
-	bool has_login_conn;
-	if ( ! UNSERIALIZE(&has_login_conn) )
-		goto error;
-
-	login_conn = has_login_conn ? (LoginConn*) this : 0;
-
-	UNSERIALIZE_BIT(installed_status_timer);
-	UNSERIALIZE_BIT(timers_canceled);
-	UNSERIALIZE_BIT(is_active);
-	UNSERIALIZE_BIT(skip);
-	UNSERIALIZE_BIT(weird);
-	UNSERIALIZE_BIT(finished);
-	UNSERIALIZE_BIT(record_packets);
-	UNSERIALIZE_BIT(record_contents);
-
-	// Hmm... Why does each connection store a sessions ptr?
-	sessions = ::sessions;
-
-	root_analyzer = 0;
-	primary_PIA = 0;
-	conn_timer_mgr = 0;
-
-	return true;
-
-error:
-	abort();
-	CancelTimers();
-	return false;
-	}
-
 void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia)
 	{
 	root_analyzer = analyzer;
diff --git a/src/Conn.h b/src/Conn.h
index fb7f5be0b4..bd5ddaae92 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -11,7 +11,6 @@
 #include "Dict.h"
 #include "Val.h"
 #include "Timer.h"
-#include "Serializer.h"
 #include "RuleMatcher.h"
 #include "IPAddr.h"
 #include "TunnelEncapsulation.h"
@@ -235,11 +234,6 @@ public:
 	// Returns true if connection has been received externally.
 	bool IsExternal() const	{ return conn_timer_mgr != 0; }
 
-	bool Serialize(SerialInfo* info) const;
-	static Connection* Unserialize(UnserialInfo* info);
-
-	DECLARE_SERIAL(Connection);
-
 	// Statistics.
 
 	// Just a lower bound.
@@ -385,8 +379,6 @@ protected:
 
 	void Init(Connection* conn, timer_func timer, int do_expire);
 
-	DECLARE_SERIAL(ConnectionTimer);
-
 	Connection* conn;
 	timer_func timer;
 	int do_expire;
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 7adc7aa65a..8f0425270d 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -12,8 +12,7 @@ DebugLogger debug_logger;
 // Same order here as in DebugStream.
 DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "serial", 0, false }, { "rules", 0, false },
-	{ "state", 0, false }, { "chunkedio", 0, false },
-	{"string", 0, false },
+	{ "state", 0, false }, {"string", 0, false },
 	{ "notifiers", 0, false },  { "main-loop", 0, false },
 	{ "dpd", 0, false }, { "tm", 0, false },
 	{ "logging", 0, false }, {"input", 0, false },
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index db646bd0cf..2e24c7064f 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -14,10 +14,9 @@
 // an entry to DebugLogger::streams in DebugLogger.cc.
 
 enum DebugStream {
-	DBG_SERIAL,	// Serialization
+	DBG_SERIAL, // Serialization
 	DBG_RULES,	// Signature matching
 	DBG_STATE,	// StateAccess logging
-	DBG_CHUNKEDIO,	// ChunkedIO logging
 	DBG_STRING,	// String code
 	DBG_NOTIFIERS,	// Notifiers (see StateAccess.h)
 	DBG_MAINLOOP,	// Main IOSource loop
diff --git a/src/Event.cc b/src/Event.cc
index f033a01e40..ce854795bd 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -58,11 +58,12 @@ void Event::Dispatch(bool no_remote)
 	if ( src == SOURCE_BROKER )
 		no_remote = true;
 
+	/* Fixme: johanna
 	if ( event_serializer )
 		{
 		SerialInfo info(event_serializer);
 		event_serializer->Serialize(&info, handler->Name(), &args);
-		}
+		} */
 
 	if ( handler->ErrorHandler() )
 		reporter->BeginErrorHandler();
diff --git a/src/Event.h b/src/Event.h
index cafe0057d6..475dc5f577 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -4,7 +4,6 @@
 #define event_h
 
 #include "EventRegistry.h"
-#include "Serializer.h"
 
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 718e6d6ae8..0f06ad50ca 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -171,23 +171,3 @@ void EventHandler::NewEvent(val_list* vl)
 	mgr.Dispatch(ev);
 	}
 
-bool EventHandler::Serialize(SerialInfo* info) const
-	{
-	return SERIALIZE(name);
-	}
-
-EventHandler* EventHandler::Unserialize(UnserialInfo* info)
-	{
-	char* name;
-	if ( ! UNSERIALIZE_STR(&name, 0) )
-		return 0;
-
-	EventHandler* h = event_registry->Lookup(name);
-	if ( ! h )
-		{
-		h = new EventHandler(name);
-		event_registry->Register(h);
-		}
-
-	return h;
-	}
diff --git a/src/EventHandler.h b/src/EventHandler.h
index 216badee4b..1f3e902b8f 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -11,9 +11,6 @@
 
 class Func;
 class FuncType;
-class Serializer;
-class SerialInfo;
-class UnserialInfo;
 
 class EventHandler {
 public:
@@ -56,11 +53,6 @@ public:
 	void SetGenerateAlways()	{ generate_always = true; }
 	bool GenerateAlways()	{ return generate_always; }
 
-	// We don't serialize the handler(s) itself here, but
-	// just the reference to it.
-	bool Serialize(SerialInfo* info) const;
-	static EventHandler* Unserialize(UnserialInfo* info);
-
 private:
 	void NewEvent(val_list* vl);	// Raise new_event() meta event.
 
diff --git a/src/Expr.cc b/src/Expr.cc
index e6cb9937c4..020412b492 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -201,56 +201,6 @@ void Expr::RuntimeErrorWithCallStack(const std::string& msg) const
 		}
 	}
 
-bool Expr::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Expr* Expr::Unserialize(UnserialInfo* info, BroExprTag want)
-	{
-	Expr* e = (Expr*) SerialObj::Unserialize(info, SER_EXPR);
-
-	if ( ! e )
-		return 0;
-
-	if ( want != EXPR_ANY && e->tag != want )
-		{
-		info->s->Error("wrong expression type");
-		Unref(e);
-		return 0;
-		}
-
-	return e;
-	}
-
-bool Expr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EXPR, BroObj);
-
-	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(paren)) )
-		return false;
-
-	SERIALIZE_OPTIONAL(type);
-	return true;
-	}
-
-bool Expr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	char c;
-	if ( ! (UNSERIALIZE(&c) && UNSERIALIZE(&paren)) )
-		return 0;
-
-	tag = BroExprTag(c);
-
-	BroType* t = 0;
-	UNSERIALIZE_OPTIONAL(t, BroType::Unserialize(info));
-	SetType(t);
-	return true;
-	}
-
-
 NameExpr::NameExpr(ID* arg_id, bool const_init) : Expr(EXPR_NAME)
 	{
 	id = arg_id;
@@ -350,55 +300,6 @@ void NameExpr::ExprDescribe(ODesc* d) const
 		}
 	}
 
-IMPLEMENT_SERIAL(NameExpr, SER_NAME_EXPR);
-
-bool NameExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NAME_EXPR, Expr);
-
-	// Write out just the name of the function if requested.
-	if ( info->globals_as_names && id->IsGlobal() )
-		return SERIALIZE('n') && SERIALIZE(id->Name()) &&
-		       SERIALIZE(in_const_init);
-	else
-		return SERIALIZE('f') && id->Serialize(info) &&
-		       SERIALIZE(in_const_init);
-	}
-
-bool NameExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	char type;
-	if ( ! UNSERIALIZE(&type) )
-		return false;
-
-	if ( type == 'n' )
-		{
-		const char* name;
-		if ( ! UNSERIALIZE_STR(&name, 0) )
-			return false;
-
-		id = global_scope()->Lookup(name);
-		if ( id )
-			::Ref(id);
-		else
-			reporter->Warning("configuration changed: unserialized unknown global name from persistent state");
-
-		delete [] name;
-		}
-	else
-		id = ID::Unserialize(info);
-
-	if ( ! id )
-		return false;
-
-	if ( ! UNSERIALIZE(&in_const_init) )
-		return false;
-
-	return true;
-	}
-
 ConstExpr::ConstExpr(Val* arg_val) : Expr(EXPR_CONST)
 	{
 	val = arg_val;
@@ -437,22 +338,6 @@ TraversalCode ConstExpr::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_EXPR_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(ConstExpr, SER_CONST_EXPR);
-
-bool ConstExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CONST_EXPR, Expr);
-	return val->Serialize(info);
-	}
-
-bool ConstExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-	val = Val::Unserialize(info);
-	return val != 0;
-	}
-
-
 UnaryExpr::UnaryExpr(BroExprTag arg_tag, Expr* arg_op) : Expr(arg_tag)
 	{
 	op = arg_op;
@@ -551,21 +436,6 @@ void UnaryExpr::ExprDescribe(ODesc* d) const
 		}
 	}
 
-IMPLEMENT_SERIAL(UnaryExpr, SER_UNARY_EXPR);
-
-bool UnaryExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_UNARY_EXPR, Expr);
-	return op->Serialize(info);
-	}
-
-bool UnaryExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-	op = Expr::Unserialize(info);
-	return op != 0;
-	}
-
 BinaryExpr::~BinaryExpr()
 	{
 	Unref(op1);
@@ -1039,26 +909,6 @@ void BinaryExpr::PromoteType(TypeTag t, bool is_vector)
 	SetType(is_vector ? new VectorType(base_type(t)) : base_type(t));
 	}
 
-IMPLEMENT_SERIAL(BinaryExpr, SER_BINARY_EXPR);
-
-bool BinaryExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BINARY_EXPR, Expr);
-	return op1->Serialize(info) && op2->Serialize(info);
-	}
-
-bool BinaryExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	op1 = Expr::Unserialize(info);
-	if ( ! op1 )
-		return false;
-
-	op2 = Expr::Unserialize(info);
-	return op2 != 0;
-	}
-
 CloneExpr::CloneExpr(Expr* arg_op) : UnaryExpr(EXPR_CLONE, arg_op)
 	{
 	if ( IsError() )
@@ -1089,20 +939,6 @@ Val* CloneExpr::Fold(Val* v) const
 	return v->Clone();
 	}
 
-IMPLEMENT_SERIAL(CloneExpr, SER_CLONE_EXPR);
-
-bool CloneExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CLONE_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool CloneExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 IncrExpr::IncrExpr(BroExprTag arg_tag, Expr* arg_op)
 : UnaryExpr(arg_tag, arg_op->MakeLvalue())
 	{
@@ -1194,20 +1030,6 @@ int IncrExpr::IsPure() const
 	return 0;
 	}
 
-IMPLEMENT_SERIAL(IncrExpr, SER_INCR_EXPR);
-
-bool IncrExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_INCR_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool IncrExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op)
 	{
 	if ( IsError() )
@@ -1227,20 +1049,6 @@ Val* ComplementExpr::Fold(Val* v) const
 	return val_mgr->GetCount(~ v->InternalUnsigned());
 	}
 
-IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR);
-
-bool ComplementExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool ComplementExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
 	{
 	if ( IsError() )
@@ -1260,20 +1068,6 @@ Val* NotExpr::Fold(Val* v) const
 	return val_mgr->GetBool(! v->InternalInt());
 	}
 
-IMPLEMENT_SERIAL(NotExpr, SER_NOT_EXPR);
-
-bool NotExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NOT_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool NotExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 PosExpr::PosExpr(Expr* arg_op) : UnaryExpr(EXPR_POSITIVE, arg_op)
 	{
 	if ( IsError() )
@@ -1310,20 +1104,6 @@ Val* PosExpr::Fold(Val* v) const
 		return val_mgr->GetInt(v->CoerceToInt());
 	}
 
-IMPLEMENT_SERIAL(PosExpr, SER_POS_EXPR);
-
-bool PosExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_POS_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool PosExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 NegExpr::NegExpr(Expr* arg_op) : UnaryExpr(EXPR_NEGATE, arg_op)
 	{
 	if ( IsError() )
@@ -1360,21 +1140,6 @@ Val* NegExpr::Fold(Val* v) const
 		return val_mgr->GetInt(- v->CoerceToInt());
 	}
 
-
-IMPLEMENT_SERIAL(NegExpr, SER_NEG_EXPR);
-
-bool NegExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NEG_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool NegExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 SizeExpr::SizeExpr(Expr* arg_op) : UnaryExpr(EXPR_SIZE, arg_op)
 	{
 	if ( IsError() )
@@ -1402,21 +1167,6 @@ Val* SizeExpr::Fold(Val* v) const
 	return v->SizeVal();
 	}
 
-IMPLEMENT_SERIAL(SizeExpr, SER_SIZE_EXPR);
-
-bool SizeExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SIZE_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool SizeExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
-
 AddExpr::AddExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_ADD, arg_op1, arg_op2)
 	{
@@ -1464,20 +1214,6 @@ void AddExpr::Canonicize()
 		SwapOps();
 	}
 
-IMPLEMENT_SERIAL(AddExpr, SER_ADD_EXPR);
-
-bool AddExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ADD_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool AddExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_ADD_TO,
              is_vector(arg_op1) ? arg_op1 : arg_op1->MakeLvalue(), arg_op2)
@@ -1559,20 +1295,6 @@ Val* AddToExpr::Eval(Frame* f) const
 		return 0;
 	}
 
-IMPLEMENT_SERIAL(AddToExpr, SER_ADD_TO_EXPR);
-
-bool AddToExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ADD_TO_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool AddToExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 SubExpr::SubExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_SUB, arg_op1, arg_op2)
 	{
@@ -1624,20 +1346,6 @@ SubExpr::SubExpr(Expr* arg_op1, Expr* arg_op2)
 		}
 	}
 
-IMPLEMENT_SERIAL(SubExpr, SER_SUB_EXPR);
-
-bool SubExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SUB_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool SubExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 RemoveFromExpr::RemoveFromExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_REMOVE_FROM, arg_op1->MakeLvalue(), arg_op2)
 	{
@@ -1682,20 +1390,6 @@ Val* RemoveFromExpr::Eval(Frame* f) const
 		return 0;
 	}
 
-IMPLEMENT_SERIAL(RemoveFromExpr, SER_REMOVE_FROM_EXPR);
-
-bool RemoveFromExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_REMOVE_FROM_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool RemoveFromExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 TimesExpr::TimesExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_TIMES, arg_op1, arg_op2)
 	{
@@ -1732,20 +1426,6 @@ void TimesExpr::Canonicize()
 		SwapOps();
 	}
 
-IMPLEMENT_SERIAL(TimesExpr, SER_TIMES_EXPR);
-
-bool TimesExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TIMES_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool TimesExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 DivideExpr::DivideExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_DIVIDE, arg_op1, arg_op2)
 	{
@@ -1810,20 +1490,6 @@ Val* DivideExpr::AddrFold(Val* v1, Val* v2) const
 	return new SubNetVal(a, mask);
 	}
 
-IMPLEMENT_SERIAL(DivideExpr, SER_DIVIDE_EXPR);
-
-bool DivideExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_DIVIDE_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool DivideExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 ModExpr::ModExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_MOD, arg_op1, arg_op2)
 	{
@@ -1844,20 +1510,6 @@ ModExpr::ModExpr(Expr* arg_op1, Expr* arg_op2)
 		ExprError("requires integral operands");
 	}
 
-IMPLEMENT_SERIAL(ModExpr, SER_MOD_EXPR);
-
-bool ModExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_MOD_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool ModExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
@@ -2014,20 +1666,6 @@ Val* BoolExpr::Eval(Frame* f) const
 	return result;
 	}
 
-IMPLEMENT_SERIAL(BoolExpr, SER_BOOL_EXPR);
-
-bool BoolExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BOOL_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool BoolExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
@@ -2078,20 +1716,6 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 		ExprError("requires \"count\" or compatible \"set\" operands");
 	}
 
-IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
-
-bool BitExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool BitExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
@@ -2193,20 +1817,6 @@ Val* EqExpr::Fold(Val* v1, Val* v2) const
 		return BinaryExpr::Fold(v1, v2);
 	}
 
-IMPLEMENT_SERIAL(EqExpr, SER_EQ_EXPR);
-
-bool EqExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EQ_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool EqExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
@@ -2264,20 +1874,6 @@ void RelExpr::Canonicize()
 		}
 	}
 
-IMPLEMENT_SERIAL(RelExpr, SER_REL_EXPR);
-
-bool RelExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_REL_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool RelExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 CondExpr::CondExpr(Expr* arg_op1, Expr* arg_op2, Expr* arg_op3)
 : Expr(EXPR_COND)
 	{
@@ -2429,32 +2025,6 @@ void CondExpr::ExprDescribe(ODesc* d) const
 	op3->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(CondExpr, SER_COND_EXPR);
-
-bool CondExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COND_EXPR, Expr);
-	return op1->Serialize(info) && op2->Serialize(info)
-			&& op3->Serialize(info);
-	}
-
-bool CondExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	op1 = Expr::Unserialize(info);
-	if ( ! op1 )
-		return false;
-
-	op2 = Expr::Unserialize(info);
-	if ( ! op2 )
-		return false;
-
-	op3 = Expr::Unserialize(info);
-
-	return op3 != 0;
-	}
-
 RefExpr::RefExpr(Expr* arg_op) : UnaryExpr(EXPR_REF, arg_op)
 	{
 	if ( IsError() )
@@ -2476,20 +2046,6 @@ void RefExpr::Assign(Frame* f, Val* v, Opcode opcode)
 	op->Assign(f, v, opcode);
 	}
 
-IMPLEMENT_SERIAL(RefExpr, SER_REF_EXPR);
-
-bool RefExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_REF_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool RefExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
 		       Val* arg_val, attr_list* arg_attrs)
 : BinaryExpr(EXPR_ASSIGN,
@@ -2878,22 +2434,6 @@ int AssignExpr::IsPure() const
 	return 0;
 	}
 
-IMPLEMENT_SERIAL(AssignExpr, SER_ASSIGN_EXPR);
-
-bool AssignExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ASSIGN_EXPR, BinaryExpr);
-	SERIALIZE_OPTIONAL(val);
-	return SERIALIZE(is_init);
-	}
-
-bool AssignExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	UNSERIALIZE_OPTIONAL(val, Val::Unserialize(info));
-	return UNSERIALIZE(&is_init);
-	}
-
 IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool is_slice)
 : BinaryExpr(EXPR_INDEX, arg_op1, arg_op2)
 	{
@@ -3235,21 +2775,6 @@ TraversalCode IndexExpr::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_EXPR_POST(tc);
 	}
 
-
-IMPLEMENT_SERIAL(IndexExpr, SER_INDEX_EXPR);
-
-bool IndexExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_INDEX_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool IndexExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
 : UnaryExpr(EXPR_FIELD, arg_op)
 	{
@@ -3347,29 +2872,6 @@ void FieldExpr::ExprDescribe(ODesc* d) const
 		d->Add(field);
 	}
 
-IMPLEMENT_SERIAL(FieldExpr, SER_FIELD_EXPR);
-
-bool FieldExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FIELD_EXPR, UnaryExpr);
-
-	if ( ! (SERIALIZE(field_name) && SERIALIZE(field) ) )
-		return false;
-
-	return td->Serialize(info);
-	}
-
-bool FieldExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-
-	if ( ! (UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field) ) )
-		return false;
-
-	td = TypeDecl::Unserialize(info);
-	return td != 0;
-	}
-
 HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name)
 : UnaryExpr(EXPR_HAS_FIELD, arg_op)
 	{
@@ -3432,24 +2934,6 @@ void HasFieldExpr::ExprDescribe(ODesc* d) const
 		d->Add(field);
 	}
 
-IMPLEMENT_SERIAL(HasFieldExpr, SER_HAS_FIELD_EXPR);
-
-bool HasFieldExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_HAS_FIELD_EXPR, UnaryExpr);
-
-	// Serialize former "bool is_attr" member first for backwards compatibility.
-	return SERIALIZE(false) && SERIALIZE(field_name) && SERIALIZE(field);
-	}
-
-bool HasFieldExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	// Unserialize former "bool is_attr" member for backwards compatibility.
-	bool not_used;
-	return UNSERIALIZE(&not_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
-	}
-
 RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 : UnaryExpr(EXPR_RECORD_CONSTRUCTOR, constructor_list)
 	{
@@ -3529,20 +3013,6 @@ void RecordConstructorExpr::ExprDescribe(ODesc* d) const
 	d->Add("]");
 	}
 
-IMPLEMENT_SERIAL(RecordConstructorExpr, SER_RECORD_CONSTRUCTOR_EXPR);
-
-bool RecordConstructorExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RECORD_CONSTRUCTOR_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list,
 					   attr_list* arg_attrs, BroType* arg_type)
 : UnaryExpr(EXPR_TABLE_CONSTRUCTOR, constructor_list)
@@ -3653,22 +3123,6 @@ void TableConstructorExpr::ExprDescribe(ODesc* d) const
 	d->Add(")");
 	}
 
-IMPLEMENT_SERIAL(TableConstructorExpr, SER_TABLE_CONSTRUCTOR_EXPR);
-
-bool TableConstructorExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TABLE_CONSTRUCTOR_EXPR, UnaryExpr);
-	SERIALIZE_OPTIONAL(attrs);
-	return true;
-	}
-
-bool TableConstructorExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-	return true;
-	}
-
 SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list,
 				       attr_list* arg_attrs, BroType* arg_type)
 : UnaryExpr(EXPR_SET_CONSTRUCTOR, constructor_list)
@@ -3789,22 +3243,6 @@ void SetConstructorExpr::ExprDescribe(ODesc* d) const
 	d->Add(")");
 	}
 
-IMPLEMENT_SERIAL(SetConstructorExpr, SER_SET_CONSTRUCTOR_EXPR);
-
-bool SetConstructorExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SET_CONSTRUCTOR_EXPR, UnaryExpr);
-	SERIALIZE_OPTIONAL(attrs);
-	return true;
-	}
-
-bool SetConstructorExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-	return true;
-	}
-
 VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list,
 					     BroType* arg_type)
 : UnaryExpr(EXPR_VECTOR_CONSTRUCTOR, constructor_list)
@@ -3908,20 +3346,6 @@ void VectorConstructorExpr::ExprDescribe(ODesc* d) const
 	d->Add(")");
 	}
 
-IMPLEMENT_SERIAL(VectorConstructorExpr, SER_VECTOR_CONSTRUCTOR_EXPR);
-
-bool VectorConstructorExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_VECTOR_CONSTRUCTOR_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool VectorConstructorExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 FieldAssignExpr::FieldAssignExpr(const char* arg_field_name, Expr* value)
 : UnaryExpr(EXPR_FIELD_ASSIGN, value), field_name(arg_field_name)
 	{
@@ -3970,20 +3394,6 @@ void FieldAssignExpr::ExprDescribe(ODesc* d) const
 	op->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(FieldAssignExpr, SER_FIELD_ASSIGN_EXPR);
-
-bool FieldAssignExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FIELD_ASSIGN_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool FieldAssignExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 ArithCoerceExpr::ArithCoerceExpr(Expr* arg_op, TypeTag t)
 : UnaryExpr(EXPR_ARITH_COERCE, arg_op)
 	{
@@ -4061,21 +3471,6 @@ Val* ArithCoerceExpr::Fold(Val* v) const
 	return result;
 	}
 
-IMPLEMENT_SERIAL(ArithCoerceExpr, SER_ARITH_COERCE_EXPR);
-
-bool ArithCoerceExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ARITH_COERCE_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool ArithCoerceExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
-
 RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 : UnaryExpr(EXPR_RECORD_COERCE, op)
 	{
@@ -4276,39 +3671,6 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 	return val;
 	}
 
-IMPLEMENT_SERIAL(RecordCoerceExpr, SER_RECORD_COERCE_EXPR);
-
-bool RecordCoerceExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RECORD_COERCE_EXPR, UnaryExpr);
-
-	if ( ! SERIALIZE(map_size) )
-		return false;
-
-	for ( int i = 0; i < map_size; ++i )
-		if ( ! SERIALIZE(map[i]) )
-			return false;
-
-	return true;
-	}
-
-bool RecordCoerceExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-
-	if ( ! UNSERIALIZE(&map_size) )
-		return false;
-
-	map = new int[map_size];
-
-	for ( int i = 0; i < map_size; ++i )
-		if ( ! UNSERIALIZE(&map[i]) )
-			return false;
-
-	return true;
-	}
-
-
 TableCoerceExpr::TableCoerceExpr(Expr* op, TableType* r)
 : UnaryExpr(EXPR_TABLE_COERCE, op)
 	{
@@ -4339,20 +3701,6 @@ Val* TableCoerceExpr::Fold(Val* v) const
 	return new TableVal(Type()->AsTableType(), tv->Attrs());
 	}
 
-IMPLEMENT_SERIAL(TableCoerceExpr, SER_TABLE_COERCE_EXPR);
-
-bool TableCoerceExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TABLE_COERCE_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool TableCoerceExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 VectorCoerceExpr::VectorCoerceExpr(Expr* op, VectorType* v)
 : UnaryExpr(EXPR_VECTOR_COERCE, op)
 	{
@@ -4383,20 +3731,6 @@ Val* VectorCoerceExpr::Fold(Val* v) const
 	return new VectorVal(Type()->Ref()->AsVectorType());
 	}
 
-IMPLEMENT_SERIAL(VectorCoerceExpr, SER_VECTOR_COERCE_EXPR);
-
-bool VectorCoerceExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_VECTOR_COERCE_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool VectorCoerceExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 FlattenExpr::FlattenExpr(Expr* arg_op)
 : UnaryExpr(EXPR_FLATTEN, arg_op)
 	{
@@ -4445,20 +3779,6 @@ Val* FlattenExpr::Fold(Val* v) const
 	return l;
 	}
 
-IMPLEMENT_SERIAL(FlattenExpr, SER_FLATTEN_EXPR);
-
-bool FlattenExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FLATTEN_EXPR, UnaryExpr);
-	return SERIALIZE(num_fields);
-	}
-
-bool FlattenExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return UNSERIALIZE(&num_fields);
-	}
-
 ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
 				double t, TimerMgr* arg_tmgr)
 	: Timer(t, TIMER_SCHEDULE),
@@ -4570,26 +3890,6 @@ void ScheduleExpr::ExprDescribe(ODesc* d) const
 		event->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(ScheduleExpr, SER_SCHEDULE_EXPR);
-
-bool ScheduleExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SCHEDULE_EXPR, Expr);
-	return when->Serialize(info) && event->Serialize(info);
-	}
-
-bool ScheduleExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	when = Expr::Unserialize(info);
-	if ( ! when )
-		return false;
-
-	event = (EventExpr*) Expr::Unserialize(info, EXPR_EVENT);
-	return event != 0;
-	}
-
 InExpr::InExpr(Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(EXPR_IN, arg_op1, arg_op2)
 	{
@@ -4706,20 +4006,6 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
 		return val_mgr->GetBool(0);
 	}
 
-IMPLEMENT_SERIAL(InExpr, SER_IN_EXPR);
-
-bool InExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_IN_EXPR, BinaryExpr);
-	return true;
-	}
-
-bool InExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BinaryExpr);
-	return true;
-	}
-
 CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook)
 : Expr(EXPR_CALL)
 	{
@@ -4917,26 +4203,6 @@ void CallExpr::ExprDescribe(ODesc* d) const
 		args->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(CallExpr, SER_CALL_EXPR);
-
-bool CallExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CALL_EXPR, Expr);
-	return func->Serialize(info) && args->Serialize(info);
-	}
-
-bool CallExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	func = Expr::Unserialize(info);
-	if ( ! func )
-		return false;
-
-	args = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	return args != 0;
-	}
-
 EventExpr::EventExpr(const char* arg_name, ListExpr* arg_args)
 : Expr(EXPR_EVENT)
 	{
@@ -5022,35 +4288,6 @@ void EventExpr::ExprDescribe(ODesc* d) const
 		args->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(EventExpr, SER_EVENT_EXPR);
-
-bool EventExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EVENT_EXPR, Expr);
-
-	if ( ! handler->Serialize(info) )
-		return false;
-
-	return SERIALIZE(name) && args->Serialize(info);
-	}
-
-bool EventExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	EventHandler* h = EventHandler::Unserialize(info);
-	if ( ! h )
-		return false;
-
-	handler = h;
-
-	if ( ! UNSERIALIZE(&name) )
-		return false;
-
-	args = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	return args;
-	}
-
 ListExpr::ListExpr() : Expr(EXPR_LIST)
 	{
 	SetType(new TypeList());
@@ -5421,42 +4658,6 @@ TraversalCode ListExpr::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_EXPR_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(ListExpr, SER_LIST_EXPR);
-
-bool ListExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_LIST_EXPR, Expr);
-
-	if ( ! SERIALIZE(exprs.length()) )
-		return false;
-
-	loop_over_list(exprs, i)
-		if ( ! exprs[i]->Serialize(info) )
-			return false;
-
-	return true;
-	}
-
-bool ListExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Expr);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	while ( len-- )
-		{
-		Expr* e = Expr::Unserialize(info);
-		if ( ! e )
-			return false;
-
-		exprs.append(e);
-		}
-
-	return true;
-	}
-
 RecordAssignExpr::RecordAssignExpr(Expr* record, Expr* init_list, int is_init)
 	{
 	const expr_list& inits = init_list->AsListExpr()->Exprs();
@@ -5518,20 +4719,6 @@ RecordAssignExpr::RecordAssignExpr(Expr* record, Expr* init_list, int is_init)
 		}
 	}
 
-IMPLEMENT_SERIAL(RecordAssignExpr, SER_RECORD_ASSIGN_EXPR);
-
-bool RecordAssignExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RECORD_ASSIGN_EXPR, ListExpr);
-	return true;
-	}
-
-bool RecordAssignExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ListExpr);
-	return true;
-	}
-
 CastExpr::CastExpr(Expr* arg_op, BroType* t) : UnaryExpr(EXPR_CAST, arg_op)
 	{
 	auto stype = Op()->Type();
@@ -5584,20 +4771,6 @@ void CastExpr::ExprDescribe(ODesc* d) const
 	Type()->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(CastExpr, SER_CAST_EXPR);
-
-bool CastExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CAST_EXPR, UnaryExpr);
-	return true;
-	}
-
-bool CastExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 IsExpr::IsExpr(Expr* arg_op, BroType* arg_t) : UnaryExpr(EXPR_IS, arg_op)
 	{
 	t = arg_t;
@@ -5629,20 +4802,6 @@ void IsExpr::ExprDescribe(ODesc* d) const
 	t->Describe(d);
 	}
 
-IMPLEMENT_SERIAL(IsExpr, SER_IS_EXPR_ /* sic */);
-
-bool IsExpr::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_IS_EXPR_, UnaryExpr);
-	return true;
-	}
-
-bool IsExpr::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(UnaryExpr);
-	return true;
-	}
-
 Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 	{
 	if ( op1->Type()->Tag() == TYPE_RECORD &&
diff --git a/src/Expr.h b/src/Expr.h
index e268f07648..6c9ac5e18f 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -189,9 +189,6 @@ public:
 
 	void Describe(ODesc* d) const override;
 
-	bool Serialize(SerialInfo* info) const;
-	static Expr* Unserialize(UnserialInfo* info, BroExprTag want = EXPR_ANY);
-
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 
 protected:
@@ -214,8 +211,6 @@ protected:
 
 	void RuntimeErrorWithCallStack(const std::string& msg) const;
 
-	DECLARE_ABSTRACT_SERIAL(Expr);
-
 	BroExprTag tag;
 	BroType* type;
 
@@ -242,8 +237,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(NameExpr);
-
 	ID* id;
 	bool in_const_init;
 };
@@ -264,8 +257,6 @@ protected:
 	ConstExpr()	{ val = 0; }
 
 	void ExprDescribe(ODesc* d) const override;
-	DECLARE_SERIAL(ConstExpr);
-
 	Val* val;
 };
 
@@ -294,8 +285,6 @@ protected:
 	// Returns the expression folded using the given constant.
 	virtual Val* Fold(Val* v) const;
 
-	DECLARE_SERIAL(UnaryExpr);
-
 	Expr* op;
 };
 
@@ -357,8 +346,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(BinaryExpr);
-
 	Expr* op1;
 	Expr* op2;
 };
@@ -373,8 +360,6 @@ protected:
 	CloneExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(CloneExpr);
 };
 
 class IncrExpr : public UnaryExpr {
@@ -388,8 +373,6 @@ public:
 protected:
 	friend class Expr;
 	IncrExpr()	{ }
-
-	DECLARE_SERIAL(IncrExpr);
 };
 
 class ComplementExpr : public UnaryExpr {
@@ -401,8 +384,6 @@ protected:
 	ComplementExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(ComplementExpr);
 };
 
 class NotExpr : public UnaryExpr {
@@ -414,8 +395,6 @@ protected:
 	NotExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(NotExpr);
 };
 
 class PosExpr : public UnaryExpr {
@@ -427,8 +406,6 @@ protected:
 	PosExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(PosExpr);
 };
 
 class NegExpr : public UnaryExpr {
@@ -440,8 +417,6 @@ protected:
 	NegExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(NegExpr);
 };
 
 class SizeExpr : public UnaryExpr {
@@ -454,7 +429,6 @@ protected:
 	SizeExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-	DECLARE_SERIAL(SizeExpr);
 };
 
 class AddExpr : public BinaryExpr {
@@ -465,9 +439,6 @@ public:
 protected:
 	friend class Expr;
 	AddExpr()	{ }
-
-	DECLARE_SERIAL(AddExpr);
-
 };
 
 class AddToExpr : public BinaryExpr {
@@ -478,8 +449,6 @@ public:
 protected:
 	friend class Expr;
 	AddToExpr()	{ }
-
-	DECLARE_SERIAL(AddToExpr);
 };
 
 class RemoveFromExpr : public BinaryExpr {
@@ -490,8 +459,6 @@ public:
 protected:
 	friend class Expr;
 	RemoveFromExpr()	{ }
-
-	DECLARE_SERIAL(RemoveFromExpr);
 };
 
 class SubExpr : public BinaryExpr {
@@ -501,9 +468,6 @@ public:
 protected:
 	friend class Expr;
 	SubExpr()	{ }
-
-	DECLARE_SERIAL(SubExpr);
-
 };
 
 class TimesExpr : public BinaryExpr {
@@ -514,9 +478,6 @@ public:
 protected:
 	friend class Expr;
 	TimesExpr()	{ }
-
-	DECLARE_SERIAL(TimesExpr);
-
 };
 
 class DivideExpr : public BinaryExpr {
@@ -528,9 +489,6 @@ protected:
 	DivideExpr()	{ }
 
 	Val* AddrFold(Val* v1, Val* v2) const override;
-
-	DECLARE_SERIAL(DivideExpr);
-
 };
 
 class ModExpr : public BinaryExpr {
@@ -540,8 +498,6 @@ public:
 protected:
 	friend class Expr;
 	ModExpr()	{ }
-
-	DECLARE_SERIAL(ModExpr);
 };
 
 class BoolExpr : public BinaryExpr {
@@ -554,8 +510,6 @@ public:
 protected:
 	friend class Expr;
 	BoolExpr()	{ }
-
-	DECLARE_SERIAL(BoolExpr);
 };
 
 class BitExpr : public BinaryExpr {
@@ -565,8 +519,6 @@ public:
 protected:
 	friend class Expr;
 	BitExpr()	{ }
-
-	DECLARE_SERIAL(BitExpr);
 };
 
 class EqExpr : public BinaryExpr {
@@ -579,8 +531,6 @@ protected:
 	EqExpr()	{ }
 
 	Val* Fold(Val* v1, Val* v2) const override;
-
-	DECLARE_SERIAL(EqExpr);
 };
 
 class RelExpr : public BinaryExpr {
@@ -591,8 +541,6 @@ public:
 protected:
 	friend class Expr;
 	RelExpr()	{ }
-
-	DECLARE_SERIAL(RelExpr);
 };
 
 class CondExpr : public Expr {
@@ -615,8 +563,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(CondExpr);
-
 	Expr* op1;
 	Expr* op2;
 	Expr* op3;
@@ -632,8 +578,6 @@ public:
 protected:
 	friend class Expr;
 	RefExpr()	{ }
-
-	DECLARE_SERIAL(RefExpr);
 };
 
 class AssignExpr : public BinaryExpr {
@@ -657,8 +601,6 @@ protected:
 	bool TypeCheck(attr_list* attrs = 0);
 	bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
 
-	DECLARE_SERIAL(AssignExpr);
-
 	int is_init;
 	Val* val;	// optional
 };
@@ -689,8 +631,6 @@ protected:
 	Val* Fold(Val* v1, Val* v2) const override;
 
 	void ExprDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(IndexExpr);
 };
 
 class FieldExpr : public UnaryExpr {
@@ -716,8 +656,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(FieldExpr);
-
 	const char* field_name;
 	const TypeDecl* td;
 	int field; // -1 = attributes
@@ -740,8 +678,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(HasFieldExpr);
-
 	const char* field_name;
 	int field;
 };
@@ -759,8 +695,6 @@ protected:
 	Val* Fold(Val* v) const override;
 
 	void ExprDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(RecordConstructorExpr);
 };
 
 class TableConstructorExpr : public UnaryExpr {
@@ -781,8 +715,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(TableConstructorExpr);
-
 	Attributes* attrs;
 };
 
@@ -804,8 +736,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(SetConstructorExpr);
-
 	Attributes* attrs;
 };
 
@@ -822,8 +752,6 @@ protected:
 	Val* InitVal(const BroType* t, Val* aggr) const override;
 
 	void ExprDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(VectorConstructorExpr);
 };
 
 class FieldAssignExpr : public UnaryExpr {
@@ -841,8 +769,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(FieldAssignExpr);
-
 	string field_name;
 };
 
@@ -856,8 +782,6 @@ protected:
 
 	Val* FoldSingleVal(Val* v, InternalTypeTag t) const;
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(ArithCoerceExpr);
 };
 
 class RecordCoerceExpr : public UnaryExpr {
@@ -872,8 +796,6 @@ protected:
 	Val* InitVal(const BroType* t, Val* aggr) const override;
 	Val* Fold(Val* v) const override;
 
-	DECLARE_SERIAL(RecordCoerceExpr);
-
 	// For each super-record slot, gives subrecord slot with which to
 	// fill it.
 	int* map;
@@ -890,8 +812,6 @@ protected:
 	TableCoerceExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(TableCoerceExpr);
 };
 
 class VectorCoerceExpr : public UnaryExpr {
@@ -904,8 +824,6 @@ protected:
 	VectorCoerceExpr()	{ }
 
 	Val* Fold(Val* v) const override;
-
-	DECLARE_SERIAL(VectorCoerceExpr);
 };
 
 // An internal operator for flattening array indices that are records
@@ -920,8 +838,6 @@ protected:
 
 	Val* Fold(Val* v) const override;
 
-	DECLARE_SERIAL(FlattenExpr);
-
 	int num_fields;
 };
 
@@ -961,8 +877,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(ScheduleExpr);
-
 	Expr* when;
 	EventExpr* event;
 };
@@ -977,8 +891,6 @@ protected:
 
 	Val* Fold(Val* v1, Val* v2) const override;
 
-	DECLARE_SERIAL(InExpr);
-
 };
 
 class CallExpr : public Expr {
@@ -1001,8 +913,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(CallExpr);
-
 	Expr* func;
 	ListExpr* args;
 };
@@ -1026,8 +936,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(EventExpr);
-
 	string name;
 	EventHandlerPtr handler;
 	ListExpr* args;
@@ -1064,8 +972,6 @@ protected:
 
 	void ExprDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(ListExpr);
-
 	expr_list exprs;
 };
 
@@ -1079,8 +985,6 @@ public:
 protected:
 	friend class Expr;
 	RecordAssignExpr()	{ }
-
-	DECLARE_SERIAL(RecordAssignExpr);
 };
 
 class CastExpr : public UnaryExpr {
@@ -1093,8 +997,6 @@ protected:
 
 	Val* Eval(Frame* f) const override;
 	void ExprDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(CastExpr);
 };
 
 class IsExpr : public UnaryExpr {
@@ -1108,7 +1010,6 @@ protected:
 
 	Val* Fold(Val* v) const override;
 	void ExprDescribe(ODesc* d) const override;
-	DECLARE_SERIAL(IsExpr);
 
 private:
 	BroType* t;
diff --git a/src/File.cc b/src/File.cc
index d7a213237f..e25f39c895 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -30,7 +30,6 @@
 #include "Expr.h"
 #include "NetVar.h"
 #include "Net.h"
-#include "Serializer.h"
 #include "Event.h"
 #include "Reporter.h"
 
@@ -828,11 +827,6 @@ void BroFile::UpdateFileSize()
 	current_size = double(s.st_size);
 	}
 
-bool BroFile::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
 BroFile* BroFile::GetFile(const char* name)
 	{
 	for ( BroFile* f = head; f; f = f->next )
@@ -844,139 +838,3 @@ BroFile* BroFile::GetFile(const char* name)
 	return new BroFile(name, "w", 0);
 	}
 
-BroFile* BroFile::Unserialize(UnserialInfo* info)
-	{
-	BroFile* file = (BroFile*) SerialObj::Unserialize(info, SER_BRO_FILE);
-
-	if ( ! file )
-		return 0;
-
-	if ( file->is_open )
-		return file;
-
-	// If there is already an object for this file, return it.
-	if ( file->name )
-		{
-		for ( BroFile* f = head; f; f = f->next )
-			{
-			if ( f->name && streq(file->name, f->name) )
-				{
-				Unref(file);
-				Ref(f);
-				return f;
-				}
-			}
-		}
-
-	// Otherwise, open, but don't clobber.
-	if ( ! file->Open(0, "a") )
-		{
-		info->s->Error(fmt("cannot open %s: %s",
-					file->name, strerror(errno)));
-		return 0;
-		}
-
-	// Here comes a hack.  This method will return a pointer to a newly
-	// instantiated file object.  As soon as this pointer is Unref'ed, the
-	// file will be closed.  That means that when we unserialize the same
-	// file next time, we will re-open it and thereby delete the first one,
-	// i.e., we will be keeping to delete what we've written just before.
-	//
-	// To avoid this loop, we do an extra Ref here, i.e., this file will
-	// *never* be closed anymore (as long the file cache does not overflow).
-	Ref(file);
-
-	// We deliberately override log rotation attributes with our defaults.
-	file->rotate_interval = log_rotate_interval;
-	file->rotate_size = log_max_size;
-	file->InstallRotateTimer();
-	file->SetBuf(file->buffered);
-
-	return file;
-	}
-
-IMPLEMENT_SERIAL(BroFile, SER_BRO_FILE);
-
-bool BroFile::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BRO_FILE, BroObj);
-
-	const char* s = name;
-
-	if ( ! okay_to_manage )
-		{
-		// We can handle stdin/stdout/stderr but no others.
-		if ( f == stdin )
-			s = "/dev/stdin";
-		else if ( f == stdout )
-			s = "/dev/stdout";
-		else if ( f == stderr )
-			s = "/dev/stderr";
-		else
-			{
-			// We don't manage the file, and therefore don't
-			// really know how to pass it on to the other side.
-			// However, in order to not abort communication
-			// when this happens, we still send the name if we
-			// have one; or if we don't, we create a special
-			// "dont-have-a-file" file to be created on the
-			// receiver side.
-			if ( ! s )
-				s = "unmanaged-bro-output-file.log";
-			}
-		}
-
-	if ( ! (SERIALIZE(s) && SERIALIZE(buffered)) )
-		return false;
-
-	SERIALIZE_OPTIONAL_STR(access);
-
-	if ( ! t->Serialize(info) )
-		return false;
-
-	SERIALIZE_OPTIONAL(attrs);
-	return true;
-	}
-
-bool BroFile::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&buffered)) )
-		return false;
-
-	UNSERIALIZE_OPTIONAL_STR(access);
-
-	t = BroType::Unserialize(info);
-	if ( ! t )
-		return false;
-
-	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-
-	// Parse attributes.
-	SetAttrs(attrs);
-	// SetAttrs() has ref'ed attrs again.
-	Unref(attrs);
-
-	// Bind stdin/stdout/stderr.
-	FILE* file = 0;
-	is_open = false;
-	f = 0;
-
-	if ( streq(name, "/dev/stdin") )
-		file = stdin;
-	else if ( streq(name, "/dev/stdout") )
-		file = stdout;
-	else if ( streq(name, "/dev/stderr") )
-		file = stderr;
-
-	if ( file )
-		{
-		delete [] name;
-		name = 0;
-		f = file;
-		is_open = true;
-		}
-
-	return true;
-	}
diff --git a/src/File.h b/src/File.h
index 3660d3caa4..d763a35b11 100644
--- a/src/File.h
+++ b/src/File.h
@@ -79,9 +79,6 @@ public:
 	void EnableRawOutput()		{ raw_output = true; }
 	bool IsRawOutput() const	{ return raw_output; }
 
-	bool Serialize(SerialInfo* info) const;
-	static BroFile* Unserialize(UnserialInfo* info);
-
 protected:
 	friend class RotateTimer;
 
@@ -124,8 +121,6 @@ protected:
 	// Finalize encryption.
 	void FinishEncrypt();
 
-	DECLARE_SERIAL(BroFile);
-
 	FILE* f;
 	BroType* t;
 	char* name;
diff --git a/src/Func.cc b/src/Func.cc
index d34f97c197..ae10dc60e9 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -41,7 +41,6 @@
 #include "analyzer/protocol/login/Login.h"
 #include "Sessions.h"
 #include "RE.h"
-#include "Serializer.h"
 #include "Event.h"
 #include "Traverse.h"
 #include "Reporter.h"
@@ -127,110 +126,6 @@ void Func::AddBody(Stmt* /* new_body */, id_list* /* new_inits */,
 	Internal("Func::AddBody called");
 	}
 
-bool Func::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Func* Func::Unserialize(UnserialInfo* info)
-	{
-	Func* f = (Func*) SerialObj::Unserialize(info, SER_FUNC);
-
-	// For builtins, we return a reference to the (hopefully) already
-	// existing function.
-	if ( f && f->kind == BUILTIN_FUNC )
-		{
-		const char* name = ((BuiltinFunc*) f)->Name();
-		ID* id = global_scope()->Lookup(name);
-		if ( ! id )
-			{
-			info->s->Error(fmt("can't find built-in %s", name));
-			return 0;
-			}
-
-		if ( ! (id->HasVal() && id->ID_Val()->Type()->Tag() == TYPE_FUNC) )
-			{
-			info->s->Error(fmt("ID %s is not a built-in", name));
-			return 0;
-			}
-
-		Unref(f);
-		f = id->ID_Val()->AsFunc();
-		Ref(f);
-		}
-
-	return f;
-	}
-
-bool Func::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FUNC, BroObj);
-
-	if ( ! SERIALIZE(int(bodies.size())) )
-		return false;
-
-	for ( unsigned int i = 0; i < bodies.size(); ++i )
-		{
-		if ( ! bodies[i].stmts->Serialize(info) )
-			return false;
-		if ( ! SERIALIZE(bodies[i].priority) )
-			return false;
-		}
-
-	if ( ! SERIALIZE(char(kind) ) )
-		return false;
-
-	if ( ! type->Serialize(info) )
-		return false;
-
-	if ( ! SERIALIZE(Name()) )
-		return false;
-
-	// We don't serialize scope as only global functions are considered here
-	// anyway.
-	return true;
-	}
-
-bool Func::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	while ( len-- )
-		{
-		Body b;
-		b.stmts = Stmt::Unserialize(info);
-		if ( ! b.stmts )
-			return false;
-
-		if ( ! UNSERIALIZE(&b.priority) )
-			return false;
-
-		bodies.push_back(b);
-		}
-
-	char c;
-	if ( ! UNSERIALIZE(&c) )
-		return false;
-
-	kind = (Kind) c;
-
-	type = BroType::Unserialize(info);
-	if ( ! type )
-		return false;
-
-	const char* n;
-	if ( ! UNSERIALIZE_STR(&n, 0) )
-		return false;
-
-	name = n;
-	delete [] n;
-
-	return true;
-	}
 
 void Func::DescribeDebug(ODesc* d, const val_list* args) const
 	{
@@ -584,21 +479,6 @@ Stmt* BroFunc::AddInits(Stmt* body, id_list* inits)
 	return stmt_series;
 	}
 
-IMPLEMENT_SERIAL(BroFunc, SER_BRO_FUNC);
-
-bool BroFunc::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BRO_FUNC, Func);
-	return SERIALIZE(frame_size);
-	}
-
-bool BroFunc::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Func);
-
-	return UNSERIALIZE(&frame_size);
-	}
-
 BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 			int arg_is_pure)
 : Func(BUILTIN_FUNC)
@@ -681,20 +561,6 @@ void BuiltinFunc::Describe(ODesc* d) const
 	d->AddCount(is_pure);
 	}
 
-IMPLEMENT_SERIAL(BuiltinFunc, SER_BUILTIN_FUNC);
-
-bool BuiltinFunc::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BUILTIN_FUNC, Func);
-	return true;
-	}
-
-bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Func);
-	return true;
-	}
-
 void builtin_error(const char* msg, BroObj* arg)
 	{
 	auto emit = [=](const CallExpr* ce)
diff --git a/src/Func.h b/src/Func.h
index 48e0c2e8b8..765d1ec499 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -59,10 +59,6 @@ public:
 	void Describe(ODesc* d) const override = 0;
 	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
 
-	// This (un-)serializes only a single body (as given in SerialInfo).
-	bool Serialize(SerialInfo* info) const;
-	static Func* Unserialize(UnserialInfo* info);
-
 	virtual TraversalCode Traverse(TraversalCallback* cb) const;
 
 	uint32 GetUniqueFuncID() const { return unique_id; }
@@ -75,8 +71,6 @@ protected:
 	// Helper function for handling result of plugin hook.
 	std::pair<bool, Val*> HandlePluginResult(std::pair<bool, Val*> plugin_result, val_list* args, function_flavor flavor) const;
 
-	DECLARE_ABSTRACT_SERIAL(Func);
-
 	vector<Body> bodies;
 	Scope* scope;
 	Kind kind;
@@ -106,8 +100,6 @@ protected:
 	BroFunc() : Func(BRO_FUNC)	{}
 	Stmt* AddInits(Stmt* body, id_list* inits);
 
-	DECLARE_SERIAL(BroFunc);
-
 	int frame_size;
 };
 
@@ -127,8 +119,6 @@ public:
 protected:
 	BuiltinFunc()	{ func = 0; is_pure = 0; }
 
-	DECLARE_SERIAL(BuiltinFunc);
-
 	built_in_func func;
 	int is_pure;
 };
diff --git a/src/ID.cc b/src/ID.cc
index b9b0a5a624..b3d68e9bda 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -9,7 +9,6 @@
 #include "Func.h"
 #include "Scope.h"
 #include "File.h"
-#include "Serializer.h"
 #include "Scope.h"
 #include "Traverse.h"
 #include "zeekygen/Manager.h"
@@ -293,11 +292,6 @@ void ID::EvalFunc(Expr* ef, Expr* ev)
 	Unref(ce);
 	}
 
-bool ID::Serialize(SerialInfo* info) const
-	{
-	return (ID*) SerialObj::Serialize(info);
-	}
-
 #if 0
 void ID::CopyFrom(const ID* id)
 	{
@@ -330,205 +324,6 @@ void ID::CopyFrom(const ID* id)
 #endif
 #endif
 
-ID* ID::Unserialize(UnserialInfo* info)
-	{
-	ID* id = (ID*) SerialObj::Unserialize(info, SER_ID);
-	if ( ! id )
-		return 0;
-
-	if ( ! id->IsGlobal() )
-		return id;
-
-	// Globals.
-	ID* current = global_scope()->Lookup(id->name);
-
-	if ( ! current )
-		{
-		if ( ! info->install_globals )
-			{
-			info->s->Error("undefined");
-			Unref(id);
-			return 0;
-			}
-
-		Ref(id);
-		global_scope()->Insert(id->Name(), id);
-#ifdef USE_PERFTOOLS_DEBUG
-		heap_checker->IgnoreObject(id);
-#endif
-		}
-
-	else
-		{
-		switch ( info->id_policy ) {
-
-		case UnserialInfo::Keep:
-			Unref(id);
-			Ref(current);
-			id = current;
-			break;
-
-		case UnserialInfo::Replace:
-			Unref(current);
-			Ref(id);
-			global_scope()->Insert(id->Name(), id);
-			break;
-
-		case UnserialInfo::CopyNewToCurrent:
-			if ( ! same_type(current->type, id->type) )
-				{
-				info->s->Error("type mismatch");
-				Unref(id);
-				return 0;
-				}
-
-			if ( ! current->weak_ref )
-				Unref(current->val);
-
-			current->val = id->val;
-			current->weak_ref = id->weak_ref;
-			if ( current->val && ! current->weak_ref )
-				Ref(current->val);
-
-#ifdef DEBUG
-			current->UpdateValID();
-#endif
-
-			Unref(id);
-			Ref(current);
-			id = current;
-
-		break;
-
-		case UnserialInfo::CopyCurrentToNew:
-			if ( ! same_type(current->type, id->type) )
-				{
-				info->s->Error("type mismatch");
-				return 0;
-				}
-			if ( ! id->weak_ref )
-				Unref(id->val);
-			id->val = current->val;
-			id->weak_ref = current->weak_ref;
-			if ( id->val && ! id->weak_ref )
-				Ref(id->val);
-
-#ifdef DEBUG
-			id->UpdateValID();
-#endif
-
-			Unref(current);
-			Ref(id);
-			global_scope()->Insert(id->Name(), id);
-			break;
-
-		case UnserialInfo::InstantiateNew:
-			// Do nothing.
-			break;
-
-		default:
-			reporter->InternalError("unknown type for UnserialInfo::id_policy");
-		}
-		}
-
-	return id;
-
-	}
-
-IMPLEMENT_SERIAL(ID, SER_ID);
-
-bool ID::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE_WITH_SUSPEND(SER_ID, BroObj);
-
-	if ( info->cont.NewInstance() )
-		{
-		DisableSuspend suspend(info);
-
-		info->s->WriteOpenTag("ID");
-
-		if ( ! (SERIALIZE(name) &&
-			SERIALIZE(char(scope)) &&
-			SERIALIZE(is_export) &&
-			SERIALIZE(is_const) &&
-			SERIALIZE(is_enum_const) &&
-			SERIALIZE(is_type) &&
-			SERIALIZE(offset) &&
-			SERIALIZE(infer_return_type) &&
-			SERIALIZE(weak_ref) &&
-			type->Serialize(info)) )
-			return false;
-
-		SERIALIZE_OPTIONAL(attrs);
-		}
-
-	SERIALIZE_OPTIONAL(val);
-
-	return true;
-	}
-
-bool ID::DoUnserialize(UnserialInfo* info)
-	{
-	bool installed_tmp = false;
-
-	DO_UNSERIALIZE(BroObj);
-
-	char id_scope;
-
-	if ( ! (UNSERIALIZE_STR(&name, 0) &&
-		UNSERIALIZE(&id_scope) &&
-		UNSERIALIZE(&is_export) &&
-		UNSERIALIZE(&is_const) &&
-		UNSERIALIZE(&is_enum_const) &&
-		UNSERIALIZE(&is_type) &&
-		UNSERIALIZE(&offset) &&
-		UNSERIALIZE(&infer_return_type) &&
-		UNSERIALIZE(&weak_ref)
-	       ) )
-		return false;
-
-	scope = IDScope(id_scope);
-
-	info->s->SetErrorDescr(fmt("unserializing ID %s", name));
-
-	type = BroType::Unserialize(info);
-	if ( ! type )
-		return false;
-
-	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-
-	// If it's a global function not currently known,
-	// we temporarily install it in global scope.
-	// This is necessary for recursive functions.
-	if ( IsGlobal() && Type()->Tag() == TYPE_FUNC )
-		{
-		ID* current = global_scope()->Lookup(name);
-		if ( ! current )
-			{
-			installed_tmp = true;
-			global_scope()->Insert(Name(), this);
-			}
-		}
-
-	UNSERIALIZE_OPTIONAL(val, Val::Unserialize(info));
-#ifdef DEBUG
-	UpdateValID();
-#endif
-
-	if ( weak_ref )
-		{
-		// At this point at least the serialization cache will hold a
-		// reference so this will not delete the val.
-		assert(val->RefCnt() > 1);
-		Unref(val);
-		}
-
-	if ( installed_tmp && ! global_scope()->Remove(name) )
-		reporter->InternalWarning("missing tmp ID in %s unserialization", name);
-
-	return true;
-	}
-
 TraversalCode ID::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc = cb->PreID(this);
diff --git a/src/ID.h b/src/ID.h
index 18754584df..bb9e11ca06 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -10,7 +10,6 @@
 #include <string>
 
 class Val;
-class SerialInfo;
 class Func;
 
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
@@ -98,9 +97,6 @@ public:
 	void DescribeReST(ODesc* d, bool roles_only = false) const;
 	void DescribeReSTShort(ODesc* d) const;
 
-	bool Serialize(SerialInfo* info) const;
-	static ID* Unserialize(UnserialInfo* info);
-
 	bool DoInferReturnType() const
 		{ return infer_return_type; }
 	void SetInferReturnType(bool infer)
@@ -124,8 +120,6 @@ protected:
 	void UpdateValID();
 #endif
 
-	DECLARE_SERIAL(ID);
-
 	const char* name;
 	IDScope scope;
 	bool is_export;
diff --git a/src/Net.cc b/src/Net.cc
index 79b66e1a80..5b737940b0 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -27,7 +27,6 @@
 #include "Reporter.h"
 #include "Net.h"
 #include "Anon.h"
-#include "Serializer.h"
 #include "PacketDumper.h"
 #include "iosource/Manager.h"
 #include "iosource/PktSrc.h"
diff --git a/src/Obj.cc b/src/Obj.cc
index 023fa0d237..7fa5adde2f 100644
--- a/src/Obj.cc
+++ b/src/Obj.cc
@@ -5,7 +5,6 @@
 #include <stdlib.h>
 
 #include "Obj.h"
-#include "Serializer.h"
 #include "Func.h"
 #include "File.h"
 #include "plugin/Manager.h"
@@ -14,47 +13,6 @@ Location no_location("<no location>", 0, 0, 0, 0);
 Location start_location("<start uninitialized>", 0, 0, 0, 0);
 Location end_location("<end uninitialized>", 0, 0, 0, 0);
 
-bool Location::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Location* Location::Unserialize(UnserialInfo* info)
-	{
-	return (Location*) SerialObj::Unserialize(info, SER_LOCATION);
-	}
-
-IMPLEMENT_SERIAL(Location, SER_LOCATION);
-
-bool Location::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_LOCATION, SerialObj);
-	info->s->WriteOpenTag("Location");
-
-	if ( ! (SERIALIZE(filename) &&
-	        SERIALIZE(first_line) &&
-	        SERIALIZE(last_line) &&
-	        SERIALIZE(first_column) &&
-	        SERIALIZE(last_column)) )
-		return false;
-
-	info->s->WriteCloseTag("Location");
-	return true;
-	}
-
-bool Location::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	delete_data = true;
-
-	return UNSERIALIZE_STR(&filename, 0)
-		&& UNSERIALIZE(&first_line)
-		&& UNSERIALIZE(&last_line)
-		&& UNSERIALIZE(&first_column)
-		&& UNSERIALIZE(&last_column);
-	}
-
 void Location::Describe(ODesc* d) const
 	{
 	if ( filename )
@@ -228,29 +186,6 @@ void BroObj::PinPoint(ODesc* d, const BroObj* obj2, int pinpoint_only) const
 	d->Add(")");
 	}
 
-bool BroObj::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BRO_OBJ, SerialObj);
-
-	info->s->WriteOpenTag("Object");
-
-	Location* loc = info->include_locations ? location : 0;
-	SERIALIZE_OPTIONAL(loc);
-	info->s->WriteCloseTag("Object");
-
-	return true;
-	}
-
-bool BroObj::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	delete location;
-
-	UNSERIALIZE_OPTIONAL(location, Location::Unserialize(info));
-	return true;
-	}
-
 void print(const BroObj* obj)
 	{
 	static BroFile fstderr(stderr);
diff --git a/src/Obj.h b/src/Obj.h
index 047eec0856..315880a18e 100644
--- a/src/Obj.h
+++ b/src/Obj.h
@@ -7,12 +7,8 @@
 
 #include "input.h"
 #include "Desc.h"
-#include "SerialObj.h"
 
-class Serializer;
-class SerialInfo;
-
-class Location : SerialObj {
+class Location {
 public:
 	Location(const char* fname, int line_f, int line_l, int col_f, int col_l)
 		{
@@ -36,7 +32,7 @@ public:
 		text = 0;
 		}
 
-	~Location() override
+	virtual ~Location()
 		{
 		if ( delete_data )
 			delete [] filename;
@@ -44,9 +40,6 @@ public:
 
 	void Describe(ODesc* d) const;
 
-	bool Serialize(SerialInfo* info) const;
-	static Location* Unserialize(UnserialInfo* info);
-
 	bool operator==(const Location& l) const;
 	bool operator!=(const Location& l) const
 		{ return ! (*this == l); }
@@ -59,8 +52,6 @@ public:
 	// Timestamp and text for compatibility with Bison's default yyltype.
 	int timestamp;
 	char* text;
-protected:
-	DECLARE_SERIAL(Location);
 };
 
 #define YYLTYPE yyltype
@@ -86,7 +77,7 @@ inline void set_location(const Location start, const Location end)
 	end_location = end;
 	}
 
-class BroObj : public SerialObj {
+class BroObj {
 public:
 	BroObj()
 		{
@@ -112,7 +103,7 @@ public:
 			SetLocationInfo(&start_location, &end_location);
 		}
 
-	~BroObj() override;
+	virtual ~BroObj();
 
 	// Report user warnings/errors.  If obj2 is given, then it's
 	// included in the message, though if pinpoint_only is non-zero,
@@ -168,10 +159,6 @@ public:
 	bool in_ser_cache;
 
 protected:
-	friend class SerializationCache;
-
-	DECLARE_ABSTRACT_SERIAL(BroObj);
-
 	Location* location;	// all that matters in real estate
 
 private:
diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index ce25ea5475..b130c1703c 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -3,7 +3,6 @@
 #include "OpaqueVal.h"
 #include "NetVar.h"
 #include "Reporter.h"
-#include "Serializer.h"
 #include "probabilistic/BloomFilter.h"
 #include "probabilistic/CardinalityCounter.h"
 
@@ -63,20 +62,6 @@ HashVal::HashVal(OpaqueType* t) : OpaqueVal(t)
 	valid = false;
 	}
 
-IMPLEMENT_SERIAL(HashVal, SER_HASH_VAL);
-
-bool HashVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_HASH_VAL, OpaqueVal);
-	return SERIALIZE(valid);
-	}
-
-bool HashVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-	return UNSERIALIZE(&valid);
-	}
-
 MD5Val::MD5Val() : HashVal(md5_type)
 	{
 	}
@@ -147,67 +132,6 @@ StringVal* MD5Val::DoGet()
 	return new StringVal(md5_digest_print(digest));
 	}
 
-IMPLEMENT_SERIAL(MD5Val, SER_MD5_VAL);
-
-bool MD5Val::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_MD5_VAL, HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	MD5_CTX* md = (MD5_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	if ( ! (SERIALIZE(md->A) &&
-		SERIALIZE(md->B) &&
-		SERIALIZE(md->C) &&
-		SERIALIZE(md->D) &&
-		SERIALIZE(md->Nl) &&
-		SERIALIZE(md->Nh)) )
-		return false;
-
-	for ( int i = 0; i < MD5_LBLOCK; ++i )
-		{
-		if ( ! SERIALIZE(md->data[i]) )
-			return false;
-		}
-
-	if ( ! SERIALIZE(md->num) )
-		return false;
-
-	return true;
-	}
-
-bool MD5Val::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	ctx = hash_init(Hash_MD5);
-	MD5_CTX* md = (MD5_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	if ( ! (UNSERIALIZE(&md->A) &&
-		UNSERIALIZE(&md->B) &&
-		UNSERIALIZE(&md->C) &&
-		UNSERIALIZE(&md->D) &&
-		UNSERIALIZE(&md->Nl) &&
-		UNSERIALIZE(&md->Nh)) )
-		return false;
-
-	for ( int i = 0; i < MD5_LBLOCK; ++i )
-		{
-		if ( ! UNSERIALIZE(&md->data[i]) )
-			return false;
-		}
-
-	if ( ! UNSERIALIZE(&md->num) )
-		return false;
-
-	return true;
-	}
-
 SHA1Val::SHA1Val() : HashVal(sha1_type)
 	{
 	}
@@ -267,69 +191,6 @@ StringVal* SHA1Val::DoGet()
 	return new StringVal(sha1_digest_print(digest));
 	}
 
-IMPLEMENT_SERIAL(SHA1Val, SER_SHA1_VAL);
-
-bool SHA1Val::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SHA1_VAL, HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	SHA_CTX* md = (SHA_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	if ( ! (SERIALIZE(md->h0) &&
-		SERIALIZE(md->h1) &&
-		SERIALIZE(md->h2) &&
-		SERIALIZE(md->h3) &&
-		SERIALIZE(md->h4) &&
-		SERIALIZE(md->Nl) &&
-		SERIALIZE(md->Nh)) )
-		return false;
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! SERIALIZE(md->data[i]) )
-			return false;
-		}
-
-	if ( ! SERIALIZE(md->num) )
-		return false;
-
-	return true;
-	}
-
-bool SHA1Val::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	ctx = hash_init(Hash_SHA1);
-	SHA_CTX* md = (SHA_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	if ( ! (UNSERIALIZE(&md->h0) &&
-		UNSERIALIZE(&md->h1) &&
-		UNSERIALIZE(&md->h2) &&
-		UNSERIALIZE(&md->h3) &&
-		UNSERIALIZE(&md->h4) &&
-		UNSERIALIZE(&md->Nl) &&
-		UNSERIALIZE(&md->Nh)) )
-		return false;
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! UNSERIALIZE(&md->data[i]) )
-			return false;
-		}
-
-	if ( ! UNSERIALIZE(&md->num) )
-		return false;
-
-	return true;
-	}
-
 SHA256Val::SHA256Val() : HashVal(sha256_type)
 	{
 	}
@@ -389,74 +250,6 @@ StringVal* SHA256Val::DoGet()
 	return new StringVal(sha256_digest_print(digest));
 	}
 
-IMPLEMENT_SERIAL(SHA256Val, SER_SHA256_VAL);
-
-bool SHA256Val::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SHA256_VAL, HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	SHA256_CTX* md = (SHA256_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	for ( int i = 0; i < 8; ++i )
-		{
-		if ( ! SERIALIZE(md->h[i]) )
-			return false;
-		}
-
-	if ( ! (SERIALIZE(md->Nl) &&
-		SERIALIZE(md->Nh)) )
-		return false;
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! SERIALIZE(md->data[i]) )
-			return false;
-		}
-
-	if ( ! (SERIALIZE(md->num) &&
-		SERIALIZE(md->md_len)) )
-	     return false;
-
-	return true;
-	}
-
-bool SHA256Val::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(HashVal);
-
-	if ( ! IsValid() )
-		return true;
-
-	ctx = hash_init(Hash_SHA256);
-	SHA256_CTX* md = (SHA256_CTX*) EVP_MD_CTX_md_data(ctx);
-
-	for ( int i = 0; i < 8; ++i )
-		{
-		if ( ! UNSERIALIZE(&md->h[i]) )
-			return false;
-		}
-
-	if ( ! (UNSERIALIZE(&md->Nl) &&
-		UNSERIALIZE(&md->Nh)) )
-	     return false;
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! UNSERIALIZE(&md->data[i]) )
-			return false;
-		}
-
-
-	if ( ! (UNSERIALIZE(&md->num) &&
-		UNSERIALIZE(&md->md_len)) )
-		return false;
-
-	return true;
-	}
-
 EntropyVal::EntropyVal() : OpaqueVal(entropy_type)
 	{
 	}
@@ -474,82 +267,6 @@ bool EntropyVal::Get(double *r_ent, double *r_chisq, double *r_mean,
 	return true;
 	}
 
-IMPLEMENT_SERIAL(EntropyVal, SER_ENTROPY_VAL);
-
-bool EntropyVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ENTROPY_VAL, OpaqueVal);
-
-	for ( int i = 0; i < 256; ++i )
-		{
-		if ( ! SERIALIZE(state.ccount[i]) )
-			return false;
-		}
-
-	if ( ! (SERIALIZE(state.totalc) &&
-		SERIALIZE(state.mp) &&
-		SERIALIZE(state.sccfirst)) )
-		return false;
-
-	for ( int i = 0; i < RT_MONTEN; ++i )
-		{
-		if ( ! SERIALIZE(state.monte[i]) )
-			return false;
-		}
-
-	if ( ! (SERIALIZE(state.inmont) &&
-		SERIALIZE(state.mcount) &&
-		SERIALIZE(state.cexp) &&
-		SERIALIZE(state.montex) &&
-		SERIALIZE(state.montey) &&
-		SERIALIZE(state.montepi) &&
-		SERIALIZE(state.sccu0) &&
-		SERIALIZE(state.scclast) &&
-		SERIALIZE(state.scct1) &&
-		SERIALIZE(state.scct2) &&
-		SERIALIZE(state.scct3)) )
-		return false;
-
-	return true;
-	}
-
-bool EntropyVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	for ( int i = 0; i < 256; ++i )
-		{
-		if ( ! UNSERIALIZE(&state.ccount[i]) )
-			return false;
-		}
-
-	if ( ! (UNSERIALIZE(&state.totalc) &&
-		UNSERIALIZE(&state.mp) &&
-		UNSERIALIZE(&state.sccfirst)) )
-		return false;
-
-	for ( int i = 0; i < RT_MONTEN; ++i )
-		{
-		if ( ! UNSERIALIZE(&state.monte[i]) )
-			return false;
-		}
-
-	if ( ! (UNSERIALIZE(&state.inmont) &&
-		UNSERIALIZE(&state.mcount) &&
-		UNSERIALIZE(&state.cexp) &&
-		UNSERIALIZE(&state.montex) &&
-		UNSERIALIZE(&state.montey) &&
-		UNSERIALIZE(&state.montepi) &&
-		UNSERIALIZE(&state.sccu0) &&
-		UNSERIALIZE(&state.scclast) &&
-		UNSERIALIZE(&state.scct1) &&
-		UNSERIALIZE(&state.scct2) &&
-		UNSERIALIZE(&state.scct3)) )
-		return false;
-
-	return true;
-	}
-
 BloomFilterVal::BloomFilterVal()
 	: OpaqueVal(bloomfilter_type)
 	{
@@ -668,44 +385,6 @@ BloomFilterVal::~BloomFilterVal()
 	delete bloom_filter;
 	}
 
-IMPLEMENT_SERIAL(BloomFilterVal, SER_BLOOMFILTER_VAL);
-
-bool BloomFilterVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BLOOMFILTER_VAL, OpaqueVal);
-
-	bool is_typed = (type != 0);
-
-	if ( ! SERIALIZE(is_typed) )
-		return false;
-
-	if ( is_typed && ! type->Serialize(info) )
-		return false;
-
-	return bloom_filter->Serialize(info);
-	}
-
-bool BloomFilterVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	bool is_typed;
-	if ( ! UNSERIALIZE(&is_typed) )
-		return false;
-
-	if ( is_typed )
-		{
-		BroType* t = BroType::Unserialize(info);
-		if ( ! Typify(t) )
-			return false;
-
-		Unref(t);
-		}
-
-	bloom_filter = probabilistic::BloomFilter::Unserialize(info);
-	return bloom_filter != 0;
-	}
-
 CardinalityVal::CardinalityVal() : OpaqueVal(cardinality_type)
 	{
 	c = 0;
@@ -728,44 +407,6 @@ CardinalityVal::~CardinalityVal()
 	delete hash;
 	}
 
-IMPLEMENT_SERIAL(CardinalityVal, SER_CARDINALITY_VAL);
-
-bool CardinalityVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CARDINALITY_VAL, OpaqueVal);
-
-	bool valid = true;
-	bool is_typed = (type != 0);
-
-	valid &= SERIALIZE(is_typed);
-
-	if ( is_typed )
-		valid &= type->Serialize(info);
-
-	return c->Serialize(info);
-	}
-
-bool CardinalityVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	bool is_typed;
-	if ( ! UNSERIALIZE(&is_typed) )
-		return false;
-
-	if ( is_typed )
-		{
-		BroType* t = BroType::Unserialize(info);
-		if ( ! Typify(t) )
-			return false;
-
-		Unref(t);
-		}
-
-	c = probabilistic::CardinalityCounter::Unserialize(info);
-	return c != 0;
-	}
-
 bool CardinalityVal::Typify(BroType* arg_type)
 	{
 	if ( type )
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index 89c7b2a8d2..4afdb48f7e 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -29,8 +29,6 @@ protected:
 	virtual bool DoFeed(const void* data, size_t size);
 	virtual StringVal* DoGet();
 
-	DECLARE_SERIAL(HashVal);
-
 private:
 	// This flag exists because Get() can only be called once.
 	bool valid;
@@ -54,8 +52,6 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
-	DECLARE_SERIAL(MD5Val);
-
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -74,8 +70,6 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
-	DECLARE_SERIAL(SHA1Val);
-
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -94,8 +88,6 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
-	DECLARE_SERIAL(SHA256Val);
-
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -111,8 +103,6 @@ public:
 protected:
 	friend class Val;
 
-	DECLARE_SERIAL(EntropyVal);
-
 private:
 	RandTest state;
 };
@@ -139,8 +129,6 @@ protected:
 	BloomFilterVal();
 	explicit BloomFilterVal(OpaqueType* t);
 
-	DECLARE_SERIAL(BloomFilterVal);
-
 private:
 	// Disable.
 	BloomFilterVal(const BloomFilterVal&);
@@ -171,8 +159,6 @@ private:
 	BroType* type;
 	CompositeHash* hash;
 	probabilistic::CardinalityCounter* c;
-
-	DECLARE_SERIAL(CardinalityVal);
 };
 
 #endif
diff --git a/src/RE.cc b/src/RE.cc
index 517fab4c91..310a8b810f 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -9,7 +9,7 @@
 #include "DFA.h"
 #include "CCL.h"
 #include "EquivClass.h"
-#include "Serializer.h"
+#include "Reporter.h"
 
 CCL* curr_ccl = 0;
 
@@ -469,57 +469,6 @@ int RE_Matcher::Compile(int lazy)
 	return re_anywhere->Compile(lazy) && re_exact->Compile(lazy);
 	}
 
-bool RE_Matcher::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-RE_Matcher* RE_Matcher::Unserialize(UnserialInfo* info)
-	{
-	return (RE_Matcher*) SerialObj::Unserialize(info, SER_RE_MATCHER);
-	}
-
-IMPLEMENT_SERIAL(RE_Matcher, SER_RE_MATCHER);
-
-bool RE_Matcher::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RE_MATCHER, SerialObj);
-	return SERIALIZE(re_anywhere->PatternText())
-			&& SERIALIZE(re_exact->PatternText());
-	}
-
-bool RE_Matcher::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
-	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
-
-	const char* pat;
-	if ( ! UNSERIALIZE_STR(&pat, 0) )
-		return false;
-
-	re_anywhere->SetPat(pat);
-	if ( ! re_anywhere->Compile() )
-		{
-		info->s->Error(fmt("Can't compile regexp '%s'", pat));
-		return false;
-		}
-
-	if ( ! UNSERIALIZE_STR(&pat, 0) )
-		return false;
-
-	re_exact->SetPat(pat);
-	if ( ! re_exact->Compile() )
-		{
-		info->s->Error(fmt("Can't compile regexp '%s'", pat));
-		return false;
-		}
-
-	return true;
-	}
-
-
 static RE_Matcher* matcher_merge(const RE_Matcher* re1, const RE_Matcher* re2,
 				const char* merge_op)
 	{
diff --git a/src/RE.h b/src/RE.h
index 286eb1b44d..9386aa6f5f 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -171,12 +171,12 @@ protected:
 	int current_pos;
 };
 
-class RE_Matcher : SerialObj {
+class RE_Matcher {
 public:
 	RE_Matcher();
 	explicit RE_Matcher(const char* pat);
 	RE_Matcher(const char* exact_pat, const char* anywhere_pat);
-	virtual ~RE_Matcher() override;
+	virtual ~RE_Matcher();
 
 	void AddPat(const char* pat);
 
@@ -212,9 +212,6 @@ public:
 	const char* PatternText() const	{ return re_exact->PatternText(); }
 	const char* AnywherePatternText() const	{ return re_anywhere->PatternText(); }
 
-	bool Serialize(SerialInfo* info) const;
-	static RE_Matcher* Unserialize(UnserialInfo* info);
-
 	unsigned int MemoryAllocation() const
 		{
 		return padded_sizeof(*this)
@@ -223,8 +220,6 @@ public:
 		}
 
 protected:
-	DECLARE_SERIAL(RE_Matcher);
-
 	Specific_RE_Matcher* re_anywhere;
 	Specific_RE_Matcher* re_exact;
 };
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 0cdeadf80d..a545a5d027 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -6,7 +6,6 @@
 #include "bro-config.h"
 
 #include "Reassem.h"
-#include "Serializer.h"
 
 static const bool DEBUG_reassem = false;
 
@@ -357,37 +356,3 @@ uint64 Reassembler::MemoryAllocation(ReassemblerType rtype)
 	return Reassembler::sizes[rtype];
 	}
 
-bool Reassembler::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Reassembler* Reassembler::Unserialize(UnserialInfo* info)
-	{
-	return (Reassembler*) SerialObj::Unserialize(info, SER_REASSEMBLER);
-	}
-
-bool Reassembler::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_REASSEMBLER, BroObj);
-
-	// I'm not sure if it makes sense to actually save the buffered data.
-	// For now, we just remember the seq numbers so that we don't get
-	// complaints about missing content.
-	return SERIALIZE(trim_seq) && SERIALIZE(int(0));
-	}
-
-bool Reassembler::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	blocks = last_block = 0;
-
-	int dummy; // For backwards compatibility.
-	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&dummy) )
-		return false;
-
-	last_reassem_seq = trim_seq;
-
-	return  true;
-	}
diff --git a/src/Reassem.h b/src/Reassem.h
index 501cd23a18..ee5e4d42b6 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -62,9 +62,6 @@ public:
 
 	void Describe(ODesc* d) const override;
 
-	bool Serialize(SerialInfo* info) const;
-	static Reassembler* Unserialize(UnserialInfo* info);
-
 	// Sum over all data buffered in some reassembler.
 	static uint64 TotalMemoryAllocation()	{ return total_size; }
 
@@ -76,8 +73,6 @@ public:
 protected:
 	Reassembler()	{ }
 
-	DECLARE_ABSTRACT_SERIAL(Reassembler);
-
 	friend class DataBlock;
 
 	virtual void Undelivered(uint64 up_to_seq);
diff --git a/src/SerialInfo.h b/src/SerialInfo.h
index 294c5747ba..04cd79daf7 100644
--- a/src/SerialInfo.h
+++ b/src/SerialInfo.h
@@ -3,13 +3,10 @@
 #ifndef serialinfo_h
 #define serialinfo_h
 
-#include "ChunkedIO.h"
-
 class SerialInfo {
 public:
 	SerialInfo(Serializer* arg_s)
 		{
-		chunk = 0;
 		s = arg_s;
 		may_suspend = clear_containers = false;
 		cache = globals_as_names = true;
@@ -21,7 +18,6 @@ public:
 
 	SerialInfo(const SerialInfo& info)
 		{
-		chunk = info.chunk;
 		s = info.s;
 		may_suspend = info.may_suspend;
 		cache = info.cache;
@@ -49,8 +45,6 @@ public:
 	// If true, we support keeping objs in cache permanently.
 	bool new_cache_strategy;
 
-	ChunkedIO::Chunk* chunk; // chunk written right before the serialization
-
 	// Attributes set during serialization.
 	SerialType type;	// type of currently serialized object
 
@@ -65,7 +59,6 @@ public:
 		s = arg_s;
 		cache = true;
 		type = SER_NONE;
-		chunk = 0;
 		install_globals = install_conns = true;
 		install_uniques = false;
 		ignore_callbacks = false;
@@ -80,7 +73,6 @@ public:
 		s = info.s;
 		cache = info.cache;
 		type = info.type;
-		chunk = info.chunk;
 		install_globals = info.install_globals;
 		install_uniques = info.install_uniques;
 		install_conns = info.install_conns;
@@ -96,8 +88,6 @@ public:
 	bool cache;	// if true,  object caching is ok
 	FILE* print;	// print read objects to given file (human-readable)
 
-	ChunkedIO::Chunk* chunk; // chunk to parse (rather than reading one)
-
 	bool install_globals;	// if true, install unknown globals
 				// in global scope
 	bool install_conns;	// if true, add connections to session table
diff --git a/src/SerialObj.cc b/src/SerialObj.cc
deleted file mode 100644
index ab7f63e823..0000000000
--- a/src/SerialObj.cc
+++ /dev/null
@@ -1,277 +0,0 @@
-#include "SerialObj.h"
-#include "Serializer.h"
-
-TransientID::ID TransientID::counter = 0;
-
-SerialObj::FactoryMap* SerialObj::factories = 0;
-SerialObj::ClassNameMap* SerialObj::names = 0;
-uint64 SerialObj::time_counter = NEVER + ALWAYS + 1;
-
-SerialObj* SerialObj::Instantiate(SerialType type)
-	{
-	FactoryMap::iterator f = factories->find(type & SER_TYPE_MASK_EXACT);
-	if ( f != factories->end() )
-		{
-		SerialObj* o = (SerialObj*) (*f->second)();
-#ifdef DEBUG
-		o->serial_type = o->GetSerialType();
-#endif
-		return o;
-		}
-
-	reporter->Error("Unknown object type 0x%08x", type);
-	return 0;
-	}
-
-const char* SerialObj::ClassName(SerialType type)
-	{
-	ClassNameMap::iterator f = names->find(type);
-	if ( f != names->end() )
-		return f->second;
-
-	reporter->Error("Unknown object type 0x%08x", type);
-	return "<no-class-name>";
-	}
-
-void SerialObj::Register(SerialType type, FactoryFunc f, const char* name)
-	{
-	if ( ! factories )
-		{
-		factories = new FactoryMap;
-		names = new ClassNameMap;
-		}
-
-	type = type & SER_TYPE_MASK_EXACT;
-
-	FactoryMap::iterator i = factories->find(type);
-	if ( i != factories->end() )
-		reporter->InternalError("SerialType 0x%08x registered twice", type);
-
-	(*factories)[type] = f;
-	(*names)[type] = name;
-	}
-
-inline bool SerializePID(SerialInfo* info, bool full, SerializationCache::PermanentID pid)
-	{
-	if ( ! SERIALIZE(full) )
-		return false;
-
-	if ( ! info->pid_32bit )
-		return SERIALIZE(pid);
-
-	// Broccoli compatibility mode with 32bit pids.
-	uint32 tmp = uint32(pid);
-	return SERIALIZE(tmp);
-	}
-
-bool SerialObj::Serialize(SerialInfo* info) const
-	{
-	assert(info);
-
-	if ( info->cont.NewInstance() )
-		{
-		SerializationCache::PermanentID pid = SerializationCache::NONE;
-
-		const TransientID* tid = GetTID();
-
-		if ( ! tid )
-			reporter->InternalError("no tid - missing DECLARE_SERIAL?");
-
-		if ( info->cache )
-			pid = info->s->Cache()->Lookup(*tid);
-
-		if ( pid != SerializationCache::NONE && info->cache )
-			{
-			DBG_LOG(DBG_SERIAL, "%s [%p, ref pid %lld, tid %lld]", __PRETTY_FUNCTION__, this, (long long) pid, tid->Value() );
-
-			DBG_LOG(DBG_SERIAL, "-- Caching");
-			DBG_PUSH(DBG_SERIAL);
-
-			if ( ! SerializePID(info, false, pid) )
-				{
-				DBG_POP(DBG_SERIAL);
-				return false;
-				}
-
-			DBG_POP(DBG_SERIAL);
-			return true;
-			}
-
-		if ( info->cache )
-			pid = info->s->Cache()->Register(this,
-						SerializationCache::NONE,
-						info->new_cache_strategy);
-
-		DBG_LOG(DBG_SERIAL, "%s [%p, new pid %lld, tid %lld]", __PRETTY_FUNCTION__, this, (long long) pid, tid->Value() );
-		DBG_LOG(DBG_SERIAL, "-- Caching");
-		DBG_PUSH(DBG_SERIAL);
-
-		if ( ! SerializePID(info, true, pid) )
-			{
-			DBG_POP(DBG_SERIAL);
-			return false;
-			}
-
-		info->type = SER_NONE;
-		DBG_POP(DBG_SERIAL);
-		}
-
-	DBG_PUSH(DBG_SERIAL);
-	info->cont.SaveContext();
-	bool ret = DoSerialize(info);
-	info->cont.RestoreContext();
-	DBG_POP(DBG_SERIAL);
-
-	if ( info->cont.ChildSuspended() )
-		return ret;
-
-#ifdef DEBUG
-	if ( debug_logger.IsEnabled(DBG_SERIAL) && IsBroObj(serial_type) )
-		{
-		ODesc desc(DESC_READABLE);
-		((BroObj*)this)->Describe(&desc);
-		DBG_LOG(DBG_SERIAL, "-- Desc: %s", desc.Description());
-		}
-#endif
-
-	return ret;
-	}
-
-SerialObj* SerialObj::Unserialize(UnserialInfo* info, SerialType type)
-	{
-	SerializationCache::PermanentID pid = SerializationCache::NONE;
-
-	DBG_LOG(DBG_SERIAL, "%s", __PRETTY_FUNCTION__);
-
-	bool full_obj;
-
-	DBG_LOG(DBG_SERIAL, "-- Caching");
-	DBG_PUSH(DBG_SERIAL);
-
-	bool result;
-
-	if ( ! info->pid_32bit )
-		result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&pid);
-	else
-		{
-		// Broccoli compatibility mode with 32bit pids.
-		uint32 tmp = 0;
-		result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&tmp);
-		pid = tmp;
-		}
-
-	if ( ! result )
-		{
-		DBG_POP(DBG_SERIAL);
-		return 0;
-		}
-
-	DBG_POP(DBG_SERIAL);
-
-	DBG_LOG(DBG_SERIAL, "-- [%s pid %lld]", full_obj ? "obj" : "ref", (long long) pid);
-
-	if ( ! full_obj )
-		{
-		// FIXME: Yet another const_cast to check eventually...
-		SerialObj* obj =
-			const_cast<SerialObj*>(info->s->Cache()->Lookup(pid));
-		if ( obj )
-			{
-			if ( obj->IsBroObj() )
-				Ref((BroObj*) obj);
-			return obj;
-			}
-
-		// In the following we'd like the format specifier to match
-		// the type of pid; but pid is uint64, for which there's
-		// no portable format specifier.  So we upcast it to long long,
-		// which is at least that size, and use a matching format.
-		info->s->Error(fmt("unknown object %lld referenced",
-				(long long) pid));
-		return 0;
-		}
-
-	uint16 stype;
-	if ( ! UNSERIALIZE(&stype) )
-		return 0;
-
-	SerialObj* obj = Instantiate(SerialType(stype));
-
-	if ( ! obj )
-		{
-		info->s->Error("unknown object type");
-		return 0;
-		}
-
-#ifdef DEBUG
-	obj->serial_type = stype;
-#endif
-
-	const TransientID* tid = obj->GetTID();
-	if ( ! tid )
-		reporter->InternalError("no tid - missing DECLARE_SERIAL?");
-
-	if ( info->cache )
-		info->s->Cache()->Register(obj, pid, info->new_cache_strategy);
-
-	info->type = stype;
-
-	DBG_PUSH(DBG_SERIAL);
-	if ( ! obj->DoUnserialize(info) )
-		{
-		DBG_POP(DBG_SERIAL);
-		return 0;
-		}
-
-	DBG_POP(DBG_SERIAL);
-
-	if ( ! SerialObj::CheckTypes(stype, type) )
-		{
-		info->s->Error("type mismatch");
-		return 0;
-		}
-
-#ifdef DEBUG
-	if ( debug_logger.IsEnabled(DBG_SERIAL) && IsBroObj(stype) )
-		{
-		ODesc desc(DESC_READABLE);
-		((BroObj*)obj)->Describe(&desc);
-		DBG_LOG(DBG_SERIAL, "-- Desc: %s", desc.Description());
-		}
-#endif
-
-	assert(obj);
-	return obj;
-	}
-
-bool SerialObj::DoSerialize(SerialInfo* info) const
-	{
-	assert(info->type != SER_NONE);
-
-#ifdef DEBUG
-	const_cast<SerialObj*>(this)->serial_type = info->type;
-#endif
-
-	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__);
-	DBG_PUSH(DBG_SERIAL);
-
-	uint16 stype = uint16(info->type);
-
-	if ( ! info->new_cache_strategy )
-		{
-		// This is a bit unfortunate: to make sure we're sending
-		// out the same types as in the past, we need to strip out
-		// the new cache stable bit.
-		stype &= ~SER_IS_CACHE_STABLE;
-		}
-
-	bool ret = SERIALIZE(stype);
-	DBG_POP(DBG_SERIAL);
-	return ret;
-	}
-
-bool SerialObj::DoUnserialize(UnserialInfo* info)
-	{
-	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__);
-	return true;
-	}
diff --git a/src/SerialObj.h b/src/SerialObj.h
deleted file mode 100644
index b502414f71..0000000000
--- a/src/SerialObj.h
+++ /dev/null
@@ -1,382 +0,0 @@
-// Infrastructure for serializable objects.
-//
-// How to make objects of class Foo serializable:
-//
-//    1. Derive Foo (directly or indirectly) from SerialObj.
-//    2. Add a SER_FOO constant to SerialTypes in SerialTypes.h.
-//    3. Add DECLARE_SERIAL(Foo) into class definition.
-//    4. Add a (preferably protected) default ctor if it doesn't already exist.
-//    5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc
-//    6. Add two methods like this to *.cc (keep names of arguments!)
-//
-//       bool Foo::DoSerialize(SerialInfo* info) const
-//           {
-//           DO_SERIALIZE(SER_FOO, ParentClassOfFoo);
-//           <... serialize class members via methods in Serializer ...>
-//           return true if everything ok;
-//	     }
-//
-//       bool Foo::DoUnserialize(UnserialInfo* info)
-//           {
-//           DO_UNSERIALIZE(ParentClassOfFoo);
-//           <... unserialize class members via methods in Serializer ...>
-//           return true if everything ok;
-//           }
-//
-//   (7. If no parent class of Foo already contains Serialize()/Unserialize()
-//       methods, these need to be added somewhere too. But most of the various
-//       parts of the class hierarchy already have them.)
-
-
-#ifndef SERIALOBJ_H
-#define SERIALOBJ_H
-
-#include <map>
-#include <util.h>
-
-#include "DebugLogger.h"
-#include "Continuation.h"
-#include "SerialTypes.h"
-#include "bro-config.h"
-
-#if SIZEOF_LONG_LONG < 8
-# error "Serialization requires that sizeof(long long) is at least 8. (Remove this message only if you know what you're doing.)"
-#endif
-
-class Serializer;
-class SerialInfo;
-class UnserialInfo;
-class SerializationCache;
-
-// Per-process unique ID.
-class TransientID {
-public:
-	TransientID()	{ id = ++counter; }
-
-	typedef unsigned long long ID;
-	ID Value() const	{ return id; }
-
-private:
-	ID id;
-	static ID counter;
-};
-
-// Abstract base class for serializable objects.
-class SerialObj {
-public:
-	virtual ~SerialObj()	{ }
-
-	virtual const TransientID* GetTID() const	{ return 0; }
-
-	virtual SerialType GetSerialType() const	{ return 0; }
-
-	bool IsBroObj() const { return IsBroObj(GetSerialType()); }
-	bool IsCacheStable() const { return IsCacheStable(GetSerialType()); }
-
-	static const uint64 NEVER = 0;
-	static const uint64 ALWAYS = 1;
-
-	// Returns time of last modification. This "time" is a monotonically
-	// increasing counter which is incremented each time a modification is
-	// performed (more precisely: each time an object is modified which
-	// returns something different than NEVER). Such times can thus be
-	// compared to see whether some modification took place before another.
-	//
-	// There are two special values:
-	//    NEVER:  This object will never change.
-	//    ALWAYS: Always consider this object as changed, i.e., don't
-	//            cache it.
-	virtual uint64 LastModified() const	{ return NEVER; }
-
-	// Instantiate an object of the given type. Return nil
-	// if unknown.
-	static SerialObj* Instantiate(SerialType type);
-
-	static const char* ClassName(SerialType type);
-
-	// Associate a "factory" function with the given type.
-	// A factory is a class or function that creates instances
-	// of a certain type.
-
-	typedef SerialObj* (*FactoryFunc)();
-	static void Register(SerialType type, FactoryFunc f,
-			const char* class_name);
-
-	static bool IsBroObj(SerialType type)
-		{ return type & SER_IS_BRO_OBJ; }
-
-	static bool IsCacheStable(SerialType type)
-		{ return type & SER_IS_CACHE_STABLE; }
-
-	static bool CheckTypes(SerialType type1, SerialType type2)
-		{ return (type1 & SER_TYPE_MASK_PARENT) ==
-			 (type2 & SER_TYPE_MASK_PARENT); }
-
-protected:
-	friend class SerializationCache;
-
-	SerialObj()
-		{
-#ifdef DEBUG
-		serial_type = 0;
-#endif
-		}
-
-	// Serializes this object. If info->cache is false, we can use
-	// DECLARE_NON_CACHEABLE_SERIAL (instead of DECLARE_SERIAL) which
-	// avoids storing a per-object id.
-	bool Serialize(SerialInfo* info) const;
-
-	// Unserializes next object.
-	static SerialObj* Unserialize(UnserialInfo* info,
-					SerialType type);
-
-	virtual bool DoSerialize(SerialInfo* info) const;
-	virtual bool DoUnserialize(UnserialInfo* info);
-
-	typedef std::map<SerialType, FactoryFunc> FactoryMap;
-	static FactoryMap* factories;
-
-	typedef std::map<SerialType, const char*> ClassNameMap;
-	static ClassNameMap* names;
-
-	static uint64 time_counter;
-	static uint64 IncreaseTimeCounter()	{ return ++time_counter; }
-	static uint64 GetTimeCounter()	{ return time_counter; }
-
-#ifdef DEBUG
-	SerialType serial_type;
-#endif
-};
-
-// A class that registers a factory function upon instantiation.
-class SerialTypeRegistrator {
-public:
-	SerialTypeRegistrator(SerialType type, SerialObj::FactoryFunc func,
-			const char* class_name)
-		{
-		SerialObj::Register(type, func, class_name);
-		}
-};
-
-
-// Macro helpers.
-
-#define DECLARE_ABSTRACT_SERIAL(classname) \
-	bool DoSerialize(SerialInfo*) const override; \
-	bool DoUnserialize(UnserialInfo*) override; \
-
-#define DECLARE_SERIAL(classname) \
-	static classname* Instantiate(); \
-	static SerialTypeRegistrator register_type; \
-	bool DoSerialize(SerialInfo*) const override; \
-	bool DoUnserialize(UnserialInfo*) override; \
-	const TransientID*  GetTID() const override	{ return &tid; } \
-	SerialType GetSerialType() const override; \
-	TransientID tid;
-
-// Only needed (and usable) for non-abstract classes.
-#define IMPLEMENT_SERIAL(classname, classtype) \
-	SerialTypeRegistrator classname::register_type(classtype, \
-			FactoryFunc(&classname::Instantiate), #classname); \
-	SerialType classname::GetSerialType() const { return classtype; }; \
-	classname* classname::Instantiate()	{ return new classname(); } \
-
-// Pushes debug level on instantiation and pops when it goes out of scope.
-class AutoPush {
-public:
-	AutoPush()	{ DBG_PUSH(DBG_SERIAL); }
-	~AutoPush()	{ DBG_POP(DBG_SERIAL); }
-};
-
-// Note that by default we disable suspending.  Use DO_SERIALIZE_WITH_SUSPEND
-// to enable, but be careful to make sure that whomever calls us is aware of
-// the fact (or has already disabled suspension itself).
-#define DO_SERIALIZE(classtype, super) \
-	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
-	if ( info->type == SER_NONE ) \
-		info->type = classtype; \
-	DisableSuspend suspend(info); \
-	AutoPush auto_push; \
-	if ( ! super::DoSerialize(info) ) \
-		return false;
-
-// Unfortunately, this is getting quite long. :-(
-#define DO_SERIALIZE_WITH_SUSPEND(classtype, super) \
-	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
-	if ( info->type == SER_NONE ) \
-		info->type = classtype; \
-	AutoPush auto_push; \
-	\
-	bool call_super = info->cont.NewInstance(); \
-	\
-	if ( info->cont.ChildSuspended() ) \
-		{ \
-		void* user_ptr = info->cont.RestoreState(); \
-		if ( user_ptr == &call_super ) \
-			call_super = true; \
-		} \
-	\
-	if ( call_super ) \
-		{ \
-		info->cont.SaveState(&call_super); \
-		info->cont.SaveContext(); \
-		bool result = super::DoSerialize(info); \
-		info->cont.RestoreContext(); \
-		if ( ! result ) \
-			return false; \
-		if ( info->cont.ChildSuspended() ) \
-			return true; \
-		info->cont.SaveState(0); \
-		} \
-
-#define DO_UNSERIALIZE(super) \
-	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
-	AutoPush auto_push; \
-	if ( ! super::DoUnserialize(info) ) \
-		return false;
-
-#define SERIALIZE(x) \
-	info->s->Write(x, #x)
-
-#define SERIALIZE_STR(x, y) \
-	info->s->Write(x, y, #x)
-
-#define SERIALIZE_BIT(bit) \
-	info->s->Write(bool(bit), #bit)
-
-#define UNSERIALIZE(x) \
-	info->s->Read(x, #x)
-
-#define UNSERIALIZE_STR(x, y) \
-	info->s->Read(x, y, #x)
-
-#define UNSERIALIZE_BIT(bit) \
-	{ \
-	bool tmp; \
-	if ( ! info->s->Read(&tmp, #bit) ) \
-		return false; \
-	bit = (unsigned int) tmp; \
-	}
-
-// Some helpers for pointers which may be nil.
-#define SERIALIZE_OPTIONAL(ptr) \
-	{	\
-	if ( ptr )	\
-		{	\
-		if ( ! info->cont.ChildSuspended() )	\
-			if ( ! info->s->Write(true, "has_" #ptr) )	\
-				return false;	\
-		\
-		info->cont.SaveContext();	\
-		bool result = ptr->Serialize(info);	\
-		info->cont.RestoreContext();	\
-		if ( ! result )	\
-			return false;	\
-		\
-		if ( info->cont.ChildSuspended() )	\
-			return true;	\
-		}	\
-	\
-	else if ( ! info->s->Write(false, "has_" #ptr) )	\
-		return false;	\
-	}
-
-#define SERIALIZE_OPTIONAL_STR(str) \
-	{	\
-	if ( str )	\
-		{	\
-		if ( ! (info->s->Write(true, "has_" #str) && info->s->Write(str, "str")) )	\
-			return false;	\
-		}	\
-	\
-	else if ( ! info->s->Write(false, "has_" #str) )	\
-		return false;	\
-	}
-
-#define UNSERIALIZE_OPTIONAL(dst, unserialize)	\
-	{	\
-	bool has_it;	\
-	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
-		return false;	\
-	\
-	if ( has_it )	\
-		{	\
-		dst = unserialize;	\
-		if ( ! dst )	\
-			return false;	\
-		}	\
-	\
-	else	\
-		dst = 0;	\
-	}
-
-#define UNSERIALIZE_OPTIONAL_STR(dst)	\
-	{	\
-	bool has_it;	\
-	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
-		return false;	\
-	\
-	if ( has_it )	\
-		{	\
-		if ( ! info->s->Read(&dst, 0, "has_" #dst) )	\
-			return false;	\
-		if ( ! dst )	\
-			return false;	\
-		}	\
-	\
-	else	\
-		dst = 0;	\
-	}
-
-#define UNSERIALIZE_OPTIONAL_STR_DEL(dst, del)	\
-	{	\
-	bool has_it;	\
-	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
-		{	\
-		delete del;	\
-		return 0;	\
-		}	\
-	\
-	if ( has_it )	\
-		{	\
-		if ( ! info->s->Read(&dst, 0, "has_" #dst) )	\
-			{	\
-			delete del;	\
-			return 0;	\
-			}	\
-		if ( ! dst )	\
-			{	\
-			delete del;	\
-			return 0;	\
-			}	\
-		}	\
-	\
-	else	\
-		dst = 0;	\
-	}
-
-#define UNSERIALIZE_OPTIONAL_STATIC(dst, unserialize, del)	\
-	{	\
-	bool has_it;	\
-	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
-		{	\
-		delete del;	\
-		return 0;	\
-		}	\
-	\
-	if ( has_it )	\
-		{	\
-		dst = unserialize;	\
-		if ( ! dst )	\
-			{	\
-			delete del;	\
-			return 0;	\
-			}	\
-		}	\
-	\
-	else	\
-		dst = 0;	\
-	}
-
-#endif
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index d5f366f7fd..6505598fc8 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -2,7 +2,7 @@
 
 #include "net_util.h"
 #include "SerializationFormat.h"
-#include "Serializer.h"
+#include "DebugLogger.h"
 #include "Reporter.h"
 
 const float SerializationFormat::GROWTH_FACTOR = 2.5;
diff --git a/src/Serializer.cc b/src/Serializer.cc
deleted file mode 100644
index 28dc6bbd01..0000000000
--- a/src/Serializer.cc
+++ /dev/null
@@ -1,1059 +0,0 @@
-#include <fcntl.h>
-#include <unistd.h>
-#include <errno.h>
-#include <time.h>
-#include <dirent.h>
-#include <libgen.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-
-#include "Serializer.h"
-#include "Scope.h"
-#include "Stmt.h"
-#include "Reporter.h"
-#include "Func.h"
-#include "Event.h"
-#include "EventRegistry.h"
-#include "SerializationFormat.h"
-#include "NetVar.h"
-#include "Conn.h"
-#include "Timer.h"
-#include "iosource/Manager.h"
-
-Serializer::Serializer(SerializationFormat* arg_format)
-	{
-	if ( arg_format )
-		format = arg_format;
-	else
-		format = new BinarySerializationFormat();
-
-	io = 0;
-	error_descr = 0;
-	current_cache = 0;
-	}
-
-Serializer::~Serializer()
-	{
-	delete format;
-	delete [] error_descr;
-	}
-
-bool Serializer::Read(string* s, const char* tag)
-	{
-	char* cstr;
-	int len;
-	if ( format->Read(&cstr, &len, tag) )
-		{
-		s->assign(cstr, len);
-		delete [] cstr;
-		return true;
-		}
-	else
-		return false;
-	}
-
-bool Serializer::StartSerialization(SerialInfo* info, const char* descr,
-					char tag)
-	{
-	format->StartWrite();
-	assert(current_cache);
-	SetErrorDescr(fmt("serializing %s", descr));
-	if ( ! Write(tag, "tag") )
-		{
-		Error(io->Error());
-		return false;
-		}
-
-	current_cache->Begin(info->new_cache_strategy);
-	return true;
-	}
-
-bool Serializer::EndSerialization(SerialInfo* info)
-	{
-	if ( info->chunk )
-		{
-		if ( ! io->Write(info->chunk) )
-			{
-			Error(io->Error());
-			return false;
-			}
-		}
-
-	ChunkedIO::Chunk* chunk = new ChunkedIO::Chunk;
-	chunk->len = format->EndWrite(&chunk->data);
-	chunk->free_func = ChunkedIO::Chunk::free_func_free;
-
-	if ( ! io->Write(chunk) )
-		{
-		Error(io->Error());
-		return false;
-		}
-
-	current_cache->End(info->new_cache_strategy);
-	return true;
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const ID& id)
-	{
-	if ( info->cont.NewInstance() )
-		{
-		if ( ! (id.IsGlobal() || id.IsEnumConst()) )
-			{
-			Error("non-global identifiers cannot be serialized");
-			return false;
-			}
-
-		if ( ! StartSerialization(info, "ID", 'i') )
-			return false;
-		}
-
-	info->cont.SaveContext();
-	bool result = id.Serialize(info);
-	info->cont.RestoreContext();
-
-	if ( ! result )
-		{
-		Error("failed");
-		return false;
-		}
-
-	if ( info->cont.ChildSuspended() )
-		return true;
-
-	WriteSeparator();
-	return EndSerialization(info);
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const char* func, val_list* args)
-	{
-	DisableSuspend suspend(info);
-
-	if ( ! StartSerialization(info, "call", 'e') )
-		return false;
-
-	WriteOpenTag("call");
-	int a = args->length();
-	Write(func, "name");
-	Write(network_time, "time");
-	Write(a, "len");
-
-	loop_over_list(*args, i)
-		{
-		if ( ! (*args)[i]->Serialize(info) )
-			{
-			Error("failed");
-			return false;
-			}
-		}
-
-	WriteCloseTag("call");
-	WriteSeparator();
-
-	return EndSerialization(info);
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const StateAccess& s)
-	{
-	DisableSuspend suspend(info);
-
-	if ( ! StartSerialization(info, "state access", 's') )
-		return false;
-
-	if ( ! s.Serialize(info) )
-		{
-		Error("failed");
-		return false;
-		}
-
-	return EndSerialization(info);
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const Timer& t)
-	{
-	DisableSuspend suspend(info);
-
-	if ( ! StartSerialization(info, "timer", 't') )
-		return false;
-
-	if ( ! t.Serialize(info) )
-		{
-		Error("failed");
-		return false;
-		}
-
-	return EndSerialization(info);
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const Connection& c)
-	{
-	DisableSuspend suspend(info);
-
-	if ( ! StartSerialization(info, "connection", 'c') )
-		return false;
-
-	if ( ! c.Serialize(info) )
-		{
-		Error("failed");
-		return false;
-		}
-
-	return EndSerialization(info);
-	}
-
-bool Serializer::Serialize(SerialInfo* info, const Packet& p)
-	{
-	DisableSuspend suspend(info);
-
-	if ( ! StartSerialization(info, "packet", 'p') )
-		return false;
-
-	if ( ! p.Serialize(info) )
-		{
-		Error("failed");
-		return false;
-		}
-
-	return EndSerialization(info);
-	}
-
-int Serializer::Unserialize(UnserialInfo* info, bool block)
-	{
-	assert(current_cache);
-
-	SetErrorDescr("unserializing");
-
-	current_cache->Begin(info->new_cache_strategy);
-
-	ChunkedIO::Chunk* chunk = info->chunk;
-
-	while ( ! chunk )
-		{
-		if ( ! io->Read(&chunk) )
-			{
-			if ( io->Eof() )
-				return 0;
-			Error(io->Error());
-			return -1;
-			}
-
-		if ( ! chunk && ! block )
-			return 0;
-		}
-
-	format->StartRead(chunk->data, chunk->len);
-
-	char type;
-	if ( ! format->Read(&type, "tag") )
-		return -1;
-
-//	DEBUG(fmt("parent: serialization of size %d", );
-
-	bool result;
-	switch ( type ) {
-	case 'i':
-		result = UnserializeID(info);
-		break;
-
-	case 'e':
-		result = UnserializeCall(info);
-		break;
-
-	case 's':
-		result = UnserializeStateAccess(info);
-		break;
-
-	case 'c':
-		result = UnserializeConnection(info);
-		break;
-
-	case 't':
-		result = UnserializeTimer(info);
-		break;
-
-	case 'p':
-		result = UnserializePacket(info);
-		break;
-
-	default:
-		Error(fmt("unknown serialization type %x", (int) type));
-		result = false;
-	}
-
-	format->EndRead();
-
-	if ( ! info->chunk )
-		{ // only delete if we allocated it ourselves
-		delete chunk;
-		}
-
-	current_cache->End(info->new_cache_strategy);
-
-	return result ? 1 : -1;
-	}
-
-bool Serializer::UnserializeID(UnserialInfo* info)
-	{
-	SetErrorDescr("unserializing ID");
-
-	ID* id = ID::Unserialize(info);
-
-	if ( ! id )
-		return false;
-
-	if ( info->print )
-		{
-		ODesc d;
-		d.SetQuotes(true);
-		d.SetIncludeStats(true);
-		d.SetShort();
-		id->DescribeExtended(&d);
-		fprintf(info->print, "ID %s\n", d.Description());
-		}
-
-	if ( ! info->ignore_callbacks )
-		GotID(id, id->ID_Val());
-	else
-		Unref(id);
-
-	return true;
-	}
-
-bool Serializer::UnserializeCall(UnserialInfo* info)
-	{
-	char* name;
-	int len;
-	double time;
-
-	if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&time) && UNSERIALIZE(&len)) )
-		return false;
-
-	SetErrorDescr(fmt("unserializing event/function %s", name));
-
-	bool ignore = false;
-	FuncType* functype = 0;
-	type_list* types = 0;
-
-	ID* id = global_scope()->Lookup(name);
-
-	if ( id )
-		{
-		if ( id->Type()->Tag() == TYPE_FUNC )
-			{
-			functype = id->Type()->AsFuncType();
-			types = functype->ArgTypes()->Types();
-			if ( types->length() != len )
-				{
-				Error("wrong number of arguments, ignoring");
-				ignore = true;
-				}
-			}
-		else
-			{
-			Error("not a function/event, ignoring");
-			ignore = true;
-			}
-		}
-	else
-		{
-		Error("unknown event/function, ignoring");
-		ignore = true;
-		}
-
-	ODesc d;
-	d.SetQuotes(true);
-	d.SetIncludeStats(true);
-	d.SetShort();
-
-	val_list* args = new val_list(len);
-	for ( int i = 0; i < len; ++i )
-		{
-		Val* v = Val::Unserialize(info);
-
-		if ( ! v )
-			{
-			delete [] name;
-			delete_vals(args);
-			return false;
-			}
-
-		if ( ! ignore )
-			{
-			if ( v->Type()->Tag() != (*types)[i]->Tag() &&
-			     (*types)[i]->Tag() != TYPE_ANY )
-				{
-				Error("mismatch in argument types; ignoring");
-				ignore = true;
-				}
-
-			if ( info->print && ! ignore )
-				v->Describe(&d);
-			}
-
-		args->append(v);
-		}
-
-	if ( ! ignore  )
-		{
-		if ( info->print )
-			fprintf(info->print, "%s [%.06f] %s(%s)\n",
-				functype->FlavorString().c_str(),
-				time, name, types ? d.Description() : "<ignored>");
-
-		switch ( functype->Flavor() ) {
-
-		case FUNC_FLAVOR_EVENT:
-			{
-			EventHandler* handler = event_registry->Lookup(name);
-			assert(handler);
-
-			if ( ! info->ignore_callbacks )
-				GotEvent(name, time, handler, args);
-
-			break;
-			}
-
-		case FUNC_FLAVOR_FUNCTION:
-		case FUNC_FLAVOR_HOOK:
-			if ( ! info->ignore_callbacks )
-				GotFunctionCall(name, time, id->ID_Val()->AsFunc(), args);
-			break;
-
-		default:
-			reporter->InternalError("unserialized call for invalid function flavor");
-			break;
-		}
-
-		if ( info->ignore_callbacks )
-			delete_vals(args);
-		}
-	else
-		delete_vals(args);
-
-	delete [] name;
-
-	return true;
-	}
-
-bool Serializer::UnserializeStateAccess(UnserialInfo* info)
-	{
-	SetErrorDescr("unserializing state access");
-
-	StateAccess* s = StateAccess::Unserialize(info);
-
-	if ( ! s )
-		return false;
-
-	if ( info->print )
-		{
-		ODesc d;
-		d.SetQuotes(true);
-		d.SetIncludeStats(true);
-		d.SetShort();
-		s->Describe(&d);
-		fprintf(info->print, "State access: %s\n", d.Description());
-		}
-
-	if ( ! info->ignore_callbacks )
-		GotStateAccess(s);
-	else
-		delete s;
-
-	return true;
-	}
-
-bool Serializer::UnserializeTimer(UnserialInfo* info)
-	{
-	SetErrorDescr("unserializing timer");
-
-	Timer* t = Timer::Unserialize(info);
-
-	if ( ! t )
-		return false;
-
-	if ( info->print )
-		{
-		ODesc d;
-		d.SetQuotes(true);
-		d.SetIncludeStats(true);
-		d.SetShort();
-		t->Describe(&d);
-		fprintf(info->print, "Timer: %s\n", d.Description());
-		}
-
-	if ( ! info->ignore_callbacks )
-		GotTimer(t);
-
-	return true;
-	}
-
-bool Serializer::UnserializeConnection(UnserialInfo* info)
-	{
-	SetErrorDescr("unserializing connection");
-
-	Connection* c = Connection::Unserialize(info);
-
-	if ( ! c )
-		return false;
-
-	if ( info->print )
-		{
-		ODesc d;
-		d.SetQuotes(true);
-		d.SetIncludeStats(true);
-		d.SetShort();
-		c->Describe(&d);
-		fprintf(info->print, "Connection: %s", d.Description());
-		}
-
-	if ( info->install_conns )
-		{
-		Ref(c);
-		sessions->Insert(c);
-		}
-	else
-		// We finish the connection here because it's not part
-		// of the standard processing and most likely to be
-		// discarded pretty soon.
-		// Without the Done(), some cleanup may not take place.
-		c->Done();
-
-	if ( ! info->ignore_callbacks )
-		GotConnection(c);
-	else
-		Unref(c);
-
-	return true;
-	}
-
-bool Serializer::UnserializePacket(UnserialInfo* info)
-	{
-	SetErrorDescr("unserializing packet");
-
-	Packet* p = Packet::Unserialize(info);
-
-	if ( ! p )
-		return false;
-
-	if ( info->print )
-		{
-		ODesc d;
-		d.SetQuotes(true);
-		d.SetIncludeStats(true);
-		d.SetShort();
-		p->Describe(&d);
-		fprintf(info->print, "Packet: %s", d.Description());
-		}
-
-	if ( ! info->ignore_callbacks )
-		GotPacket(p);
-	else
-		delete p;
-
-	return true;
-	}
-
-void Serializer::Error(const char* str)
-	{
-	char buffer[1024];
-	safe_snprintf(buffer, sizeof(buffer), "%s%s%s",
-		      error_descr ? error_descr : "", error_descr ? ": " : "", str);
-	ReportError(buffer);
-	}
-
-void Serializer::Warning(const char* str)
-	{
-	// We ignore these as there's no good place to report them.
-	}
-
-SerializationCache::SerializationCache(unsigned int arg_max_cache_size)
-	{
-	max_cache_size = arg_max_cache_size;
-	next_id = 1;
-	cache_stable.head = cache_stable.tail = 0;
-	cache_unstable.head = cache_unstable.tail = 0;
-	cache_stable.size = cache_unstable.size = 0;
-	}
-
-SerializationCache::~SerializationCache()
-	{
-	Clear();
-	}
-
-SerializationCache::PermanentID
-SerializationCache::Register(const SerialObj* obj, PermanentID pid,
-				bool new_cache_strategy)
-	{
-	if ( pid == NONE )
-		pid = next_id++;
-
-	PIDMap::iterator i = pid_map.find(pid);
-	assert(i == pid_map.end());
-
-	CacheList* cache =
-		(new_cache_strategy && obj->IsCacheStable()) ?
-			&cache_stable : &cache_unstable;
-
-	CacheEntry* entry = new CacheEntry;
-	entry->obj.serial = obj;
-	entry->is_bro_obj = obj->IsBroObj();
-	entry->pid = pid;
-	entry->tid = obj->GetTID()->Value();
-	entry->time = SerialObj::GetTimeCounter();
-	entry->prev = cache->tail;
-	entry->next = 0;
-	entry->cache = cache;
-	entry->stype = obj->GetSerialType();
-
-	if ( cache->tail )
-		cache->tail->next = entry;
-	if ( ! cache->head )
-		cache->head = entry;
-
-	cache->tail = entry;
-	++(cache->size);
-
-	// This is a bit weird. If the TID is already contained in the map (i.e.
-	// we're re-registering), TIDMap::insert() will *not* override the old
-	// entry but set the bool to false and return it.
-	pair<TIDMap::iterator, bool> old = tid_map.insert(TIDMap::value_type(entry->tid, entry));
-	if ( ! old.second )
-		{
-		// Already existed.
-		old.first->second->tid = 0;	// invalidate
-		old.first->second = entry;	// replace
-		}
-
-	pid_map.insert(PIDMap::value_type(pid, entry));
-
-	if ( entry->is_bro_obj )
-		Ref(const_cast<BroObj*>(entry->obj.bro));
-	else
-		{
-		// Make sure it goes into unstable.
-		assert(! obj->IsCacheStable());
-
-		volatiles.push_back(entry);
-		}
-
-	return entry->pid;
-	}
-
-void SerializationCache::UnlinkEntry(CacheEntry* e)
-	{
-	assert(e);
-
-	// Remove from double-linked list.
-	if ( e == e->cache->head )
-		{
-		e->cache->head = e->next;
-		if ( e->cache->head )
-			e->cache->head->prev = 0;
-		}
-	else
-		e->prev->next = e->next;
-
-	if ( e == e->cache->tail )
-		{
-		e->cache->tail = e->prev;
-		if ( e->cache->tail )
-			e->cache->tail->next = 0;
-		}
-	else
-		e->next->prev = e->prev;
-
-	e->prev = e->next = 0;
-	}
-
-void SerializationCache::RemoveEntry(CacheEntry* e)
-	{
-	assert(e);
-	UnlinkEntry(e);
-
-	if ( e->tid )
-		tid_map.erase(e->tid);
-
-	pid_map.erase(e->pid);
-
-	if ( e->is_bro_obj )
-		Unref(const_cast<BroObj*>(e->obj.bro));
-
-	e->obj.serial = 0; // for debugging
-	--(e->cache->size);
-	delete e;
-	}
-
-void SerializationCache::MoveEntryToTail(CacheEntry* e)
-	{
-	assert(e);
-	UnlinkEntry(e);
-	e->prev = e->cache->tail;
-	e->next = 0;
-
-	if ( e->cache->tail )
-		e->cache->tail->next = e;
-	if ( ! e->cache->head )
-		e->cache->head = e;
-
-	e->cache->tail = e;
-	}
-
-void SerializationCache::Clear()
-	{
-	tid_map.clear();
-	pid_map.clear();
-	volatiles.clear();
-
-	while ( cache_stable.head )
-		RemoveEntry(cache_stable.head);
-
-	while ( cache_unstable.head )
-		RemoveEntry(cache_unstable.head);
-
-	assert(cache_stable.size == 0);
-	assert(cache_unstable.size == 0);
-	}
-
-void SerializationCache::End(bool new_cache_strategy)
-	{
-	// Remove objects not-derived from BroObj (they aren't ref'counted
-	// so it's not safe to keep them).
-	for ( VolatileList::iterator i = volatiles.begin();
-	      i != volatiles.end(); i++ )
-		{
-		assert(*i);
-		RemoveEntry(*i);
-		}
-
-	volatiles.clear();
-
-	if ( new_cache_strategy )
-		{
-		while ( max_cache_size && cache_stable.head &&
-				cache_stable.size > max_cache_size )
-			RemoveEntry(cache_stable.head);
-
-		while ( max_cache_size && cache_unstable.head &&
-				cache_unstable.size > max_cache_size )
-			RemoveEntry(cache_unstable.head);
-		}
-
-	else
-		{
-		while ( max_cache_size && pid_map.size() > max_cache_size )
-			RemoveEntry(cache_unstable.head);
-		}
-	}
-
-FileSerializer::FileSerializer(SerializationFormat* format)
-: Serializer(format), cache(100)
-	{
-	file = 0;
-	fd = -1;
-	io = 0;
-	SetCache(&cache);
-	}
-
-FileSerializer::~FileSerializer()
-	{
-	if ( io )
-		io->Flush();
-
-	delete [] file;
-
-	if ( io )
-		delete io;  // destructor will call close() on fd
-	else if ( fd >= 0 )
-		safe_close(fd);
-	}
-
-bool FileSerializer::Open(const char* file, bool pure)
-	{
-	if ( ! OpenFile(file, false) )
-		return false;
-
-	if ( pure )
-		io->MakePure();
-
-	if ( ! PrepareForWriting() )
-		return false;
-
-	return true;
-	}
-
-bool FileSerializer::Close()
-	{
-	CloseFile();
-	return true;
-	}
-
-bool FileSerializer::OpenFile(const char* arg_file, bool readonly, bool should_exist)
-	{
-	CloseFile();
-
-	cache.Clear();
-
-	file = copy_string(arg_file);
-	fd = open(file, readonly ? O_RDONLY : O_WRONLY | O_CREAT | O_TRUNC, 0600);
-
-	if ( fd < 0 )
-		{
-		if ( readonly && errno == ENOENT )
-			{
-			// Only an error if we expect to exist.
-			if ( should_exist )
-				{
-				Error(fmt("%s does not exist", file));
-				return false;
-				}
-
-			CloseFile();
-			return true;
-			}
-
-		Error(fmt("can't open file %s for %s: %s",
-				file, (readonly ? "reading" : "writing"),
-				strerror(errno)));
-		return false;
-		}
-
-	io = new ChunkedIOFd(fd, "file");
-
-	return io != 0;
-	}
-
-void FileSerializer::CloseFile()
-	{
-	if ( io )
-		io->Flush();
-
-	if ( fd >= 0 && ! io ) // destructor of io calls close() on fd
-		safe_close(fd);
-	fd = -1;
-
-	delete [] file;
-	file = 0;
-
-	delete io;
-	io = 0;
-
-	cache.Clear();
-	}
-
-bool FileSerializer::PrepareForWriting()
-	{
-	if ( ! io->IsPure() )
-		{
-		// Write file header.
-		uint32 magic = htonl(MAGIC);
-		uint16 version = htons(DATA_FORMAT_VERSION);
-		uint32 time = htonl(uint32(::time(0)));
-
-		if ( write(fd, &magic, sizeof(magic)) != sizeof(magic ) ||
-		     write(fd, &version, sizeof(version)) != sizeof(version) ||
-		     write(fd, &time, sizeof(time)) != sizeof(time))
-			{
-			Error(fmt("can't write file header to %s: %s",
-					file, strerror(errno)));
-			return false;
-			}
-		}
-
-	return true;
-	}
-
-bool FileSerializer::ReadHeader(UnserialInfo* info)
-	{
-	uint32 magic;
-	uint16 version;
-	uint32 time;
-
-	if ( read(fd, &magic, sizeof(magic)) != sizeof(magic ) ||
-	     read(fd, &version, sizeof(version)) != sizeof(version) ||
-	     read(fd, &time, sizeof(time)) != sizeof(time) )
-		{
-		Error(fmt("can't read file header from %s: %s",
-				file, strerror(errno)));
-		return false;
-		}
-
-	version = ntohs(version);
-	time = ntohl(time);
-
-	if ( info && info->print )
-		{
-		time_t teatime = (time_t) time;
-		fprintf(stderr, "Date: %s", ctime(&teatime));
-		}
-
-	if ( magic != htonl(MAGIC) )
-		{
-		Error(fmt("%s is not a bro state file", file));
-		CloseFile();
-		return false;
-		}
-
-	if ( version != DATA_FORMAT_VERSION )
-		{
-		Error(fmt("wrong data format, expected version %d but got version %d", DATA_FORMAT_VERSION, version));
-		CloseFile();
-		return false;
-		}
-
-	return true;
-	}
-
-bool FileSerializer::Read(UnserialInfo* info, const char* file, bool header)
-	{
-	if ( ! OpenFile(file, true, info->print) )
-		return false;
-
-	// fprintf( stderr, "Reading %s\n", file );
-
-	if ( fd < 0 )
-		// Not existent, but that's ok.
-		return true;
-
-	if ( header && ! ReadHeader(info) )
-		return false;
-
-	int i;
-	while ( (i = Unserialize(info, true)) > 0 )
-		;
-
-	CloseFile();
-
-	return i == 0;
-	}
-
-void FileSerializer::ReportError(const char* str)
-	{
-	reporter->Error("%s", str);
-	}
-
-void FileSerializer::GotID(ID* id, Val* val)
-	{
-	// Do nothing.
-	Unref(id);
-	}
-
-void FileSerializer::GotStateAccess(StateAccess* s)
-	{
-	delete s;
-	}
-
-void FileSerializer::GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args)
-	{
-	// Do nothing.
-	delete_vals(args);
-	}
-
-void FileSerializer::GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args)
-	{
-	// Do nothing.
-	delete_vals(args);
-	}
-
-void FileSerializer::GotTimer(Timer* t)
-	{
-	// Do nothing.
-	delete t;
-	}
-
-void FileSerializer::GotConnection(Connection* c)
-	{
-	// Do nothing.
-	Unref(c);
-	}
-
-void FileSerializer::GotPacket(Packet* p)
-	{
-	// Do nothing.
-	delete p;
-	}
-
-EventPlayer::EventPlayer(const char* file)
-    : stream_time(), replay_time(), ne_time(), ne_handler(), ne_args()
-	{
-	if ( ! OpenFile(file, true) || fd < 0 )
-		Error(fmt("event replayer: cannot open %s", file));
-
-	if ( ReadHeader() )
-		iosource_mgr->Register(this);
-	}
-
-EventPlayer::~EventPlayer()
-	{
-	CloseFile();
-	}
-
-void EventPlayer::GotEvent(const char* name, double time,
-		EventHandlerPtr event, val_list* args)
-	{
-	ne_time = time;
-	ne_handler = event;
-	ne_args = std::move(*args);
-	delete args;
-	}
-
-void EventPlayer::GotFunctionCall(const char* name, double time,
-		Func* func, val_list* args)
-	{
-	// We don't replay function calls.
-	}
-
-void EventPlayer::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-                         iosource::FD_Set* except)
-	{
-	read->Insert(fd);
-	}
-
-double EventPlayer::NextTimestamp(double* local_network_time)
-	{
-	if ( ne_time )
-		return ne_time;
-
-	if ( ! io )
-		return -1;
-
-	// Read next event if we don't have one waiting.
-	if ( ! ne_time )
-		{
-		UnserialInfo info(this);
-		Unserialize(&info);
-		SetClosed(io->Eof());
-		}
-
-	if ( ! ne_time )
-		return -1;
-
-	if ( ! network_time )
-		{
-		// Network time not initialized yet.
-		stream_time = replay_time = ne_time;
-		return ne_time;
-		}
-
-	if ( ! stream_time )
-		{
-		// Init base times.
-		stream_time = ne_time;
-		replay_time = network_time;
-		}
-
-	// Scale time.
-	ne_time = ne_time - stream_time + network_time;
-	return ne_time;
-	}
-
-void EventPlayer::Process()
-	{
-	if ( ! (io && ne_time) )
-		return;
-
-	Event* event = new Event(ne_handler, std::move(ne_args));
-	mgr.Dispatch(event);
-
-	ne_time = 0;
-	}
diff --git a/src/Serializer.h b/src/Serializer.h
deleted file mode 100644
index 2c30ef5443..0000000000
--- a/src/Serializer.h
+++ /dev/null
@@ -1,363 +0,0 @@
-#ifndef SERIALIZER_H
-#define SERIALIZER_H
-
-#include <map>
-#include <list>
-#include <pcap.h>
-
-#include "ID.h"
-#include "List.h"
-#include "Expr.h"
-#include "ChunkedIO.h"
-#include "SerializationFormat.h"
-#include "StateAccess.h"
-#include "PriorityQueue.h"
-#include "SerialInfo.h"
-#include "IP.h"
-#include "Timer.h"
-#include "iosource/IOSource.h"
-#include "Reporter.h"
-
-class SerializationCache;
-class SerialInfo;
-
-class Connection;
-class Timer;
-class Packet;
-
-class Serializer {
-public:
-	// Currently ID serialization is the only method which may suspend.
-	bool Serialize(SerialInfo* info, const ID& id);
-	bool Serialize(SerialInfo* info, const char* func, val_list* args);
-	bool Serialize(SerialInfo* info, const StateAccess& s);
-	bool Serialize(SerialInfo* info, const Connection& c);
-	bool Serialize(SerialInfo* info, const Timer& t);
-	bool Serialize(SerialInfo* info, const Packet& p);
-
-	// Access to the current cache.
-	SerializationCache* Cache()	{ return current_cache; }
-	void SetCache(SerializationCache* cache)
-		{ current_cache = cache; }
-
-	// Input/output methods.
-
-#define DECLARE_READ(type) \
-	bool Read(type* v, const char* tag)	{ return format->Read(v, tag); }
-
-#define DECLARE_WRITE(type) \
-	bool Write(type v, const char* tag)	\
-		{ return format->Write(v, tag); }
-
-#define DECLARE_IO(type)	\
-	DECLARE_READ(type)	\
-	DECLARE_WRITE(type)
-
-	DECLARE_IO(int)
-	DECLARE_IO(uint16)
-	DECLARE_IO(uint32)
-	DECLARE_IO(int64)
-	DECLARE_IO(uint64)
-	DECLARE_IO(char)
-	DECLARE_IO(bool)
-	DECLARE_IO(double)
-
-	bool Read(char** str, int* len, const char* tag)
-		{ return format->Read(str, len, tag); }
-	bool Read(const char** str, int* len, const char* tag)
-		// This cast is ok.
-		{ return format->Read(const_cast<char**>(str), len, tag); }
-
-	bool Read(string* s, const char* tag);
-	bool Read(IPAddr* a, const char* tag)	{ return format->Read(a, tag); }
-	bool Read(IPPrefix* p, const char* tag)	{ return format->Read(p, tag); }
-
-	bool Write(const char* s, const char* tag)
-		{ return format->Write(s, tag); }
-	bool Write(const char* buf, int len, const char* tag)
-		{ return format->Write(buf, len, tag); }
-	bool Write(const string& s, const char* tag)
-		{ return format->Write(s.data(), s.size(), tag); }
-	bool Write(const IPAddr& a, const char* tag)	{ return format->Write(a, tag); }
-	bool Write(const IPPrefix& p, const char* tag)	{ return format->Write(p, tag); }
-
-	bool WriteOpenTag(const char* tag)
-		{ return format->WriteOpenTag(tag); }
-	bool WriteCloseTag(const char* tag)
-		{ return format->WriteCloseTag(tag); }
-
-	bool WriteSeparator()	{ return format->WriteSeparator(); }
-
-	void Error(const char* msg);
-	void Warning(const char* msg);
-
-	void SetErrorDescr(const char* descr)
-		{ delete [] error_descr; error_descr = copy_string(descr); }
-
-protected:
-	// Format defaults to binary serialization.
-	explicit Serializer(SerializationFormat* format = 0);
-	virtual ~Serializer();
-
-	// Reads next object.
-	// If 'block' is true, wait until an object can be read.
-	// Returns 0 if no more object available, -1 on error.
-	int Unserialize(UnserialInfo* info, bool block = false);
-
-	// Callback for error messages.
-	virtual void ReportError(const char* msg) = 0;
-
-	// Callbacks for unserialized objects.
-
-	// id points to ID in global scope, val is unserialized value.
-	virtual void GotID(ID* id, Val* val) = 0;
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args) = 0;
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) = 0;
-	virtual void GotStateAccess(StateAccess* s) = 0;
-	virtual void GotTimer(Timer* t) = 0;
-	virtual void GotConnection(Connection* c) = 0;
-	virtual void GotPacket(Packet* packet) = 0;
-
-	// Magic to recognize state files.
-	static const uint32 MAGIC = 0x42525354;
-
-	// This will be increased whenever there is an incompatible change
-	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 26;
-
-	ChunkedIO* io;
-
-private:
-	bool StartSerialization(SerialInfo* info, const char* descr, char tag);
-	bool EndSerialization(SerialInfo* info);
-
-	bool UnserializeID(UnserialInfo* info);
-	bool UnserializeCall(UnserialInfo* info);
-	bool UnserializeStateAccess(UnserialInfo* info);
-	bool UnserializeTimer(UnserialInfo* info);
-	bool UnserializeConnection(UnserialInfo* info);
-	bool UnserializePacket(UnserialInfo* info);
-
-	SerializationFormat* format;
-	SerializationCache* current_cache;
-	const char* error_descr;	// used in error messages
-};
-
-
-
-// We maintain an LRU-cache for some of the objects which have already been
-// serialized. For the cache, we need two types of IDs: TransientIDs (defined
-// in SerialObj.cc) uniquely reference an object during the lifetime of a
-// process.  PermanentIDs uniquely reference an object within a serialization.
-
-class SerializationCache {
-public:
-	typedef uint64 PermanentID;
-	static const PermanentID NONE = 0;
-
-	// If max_cache_size is greater than zero, we'll remove old entries
-	// automatically if limit is reached (LRU expiration).
-	explicit SerializationCache(unsigned int max_cache_size = 0);
-	~SerializationCache();
-
-	PermanentID Register(const SerialObj* obj, PermanentID pid,
-				bool new_cache_strategy);
-
-	const SerialObj* Lookup(PermanentID pid)
-		{
-		PIDMap::const_iterator i = pid_map.find(pid);
-		if ( i == pid_map.end() )
-			return 0;
-
-		assert(i->second);
-		MoveEntryToTail(i->second);
-		return i->second->obj.serial;
-		}
-
-	PermanentID Lookup(const TransientID& tid)
-		{
-		TIDMap::const_iterator i = tid_map.find(tid.Value());
-		if ( i == tid_map.end() )
-			return 0;
-
-		uint64 modified = i->second->obj.serial->LastModified();
-		if ( modified == SerialObj::ALWAYS || modified > i->second->time )
-			return 0;
-
-		assert(i->second);
-		MoveEntryToTail(i->second);
-		return i->second->pid;
-		}
-
-	unsigned int GetMaxCacheSize() const	{ return max_cache_size; }
-	void SetMaxCacheSize(unsigned int size)	{ max_cache_size = size; }
-
-	// These methods have to be called at the start/end of the
-	// serialization of an entity. The cache guarentees that objects
-	// registered after Begin() remain valid until End() is called.
-	// After End(), objects which are not derived from BroObj are
-	// discarded; others *may* remain valid.
-	void Begin(bool can_keep_in_cache)	{ End(can_keep_in_cache); }
-	void End(bool can_keep_in_cache);
-
-	void Clear();
-
-private:
-
-	struct CacheList;
-
-	struct CacheEntry {
-		union {
-			const SerialObj* serial;
-			const BroObj* bro;
-		} obj;
-
-		bool is_bro_obj;
-		PermanentID pid;
-		TransientID::ID tid;
-		uint64 time;
-		struct CacheList* cache;
-		CacheEntry* prev;
-		CacheEntry* next;
-
-		SerialType stype;	// primarily for debugging
-	};
-
-	// We maintain two LRU-sorted lists, one for often-changing objects and
-	// one for only rarely changing objects;
-	struct CacheList {
-		CacheEntry* head;
-		CacheEntry* tail;
-		unsigned int size;
-	};
-
-	void RemoveEntry(CacheEntry* e);
-	void UnlinkEntry(CacheEntry* e);
-	void MoveEntryToTail(CacheEntry* e);
-
-	unsigned int max_cache_size;
-
-	typedef map<PermanentID, CacheEntry*> PIDMap;
-	typedef map<TransientID::ID, CacheEntry*> TIDMap;
-
-	TIDMap tid_map;
-	PIDMap pid_map;
-
-	CacheList cache_stable;
-	CacheList cache_unstable;
-
-	// Objects in the cache which aren't derived from BroObj. These are
-	// always stored in the unstable cache.
-	typedef list<CacheEntry*> VolatileList;
-	VolatileList volatiles;
-
-	PermanentID next_id;
-};
-
-// A serializer for cloning objects.  Objects can be serialized into
-// the serializer and unserialized into new objects.  An absolutely
-// minimal implementation of Serializer!
-class CloneSerializer : public Serializer {
-public:
-	explicit CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
-	~CloneSerializer() override
-		{ }
-
-protected:
-	void ReportError(const char* msg) override { reporter->Error("%s", msg); }
-	void GotID(ID* id, Val* val) override { }
-	void GotEvent(const char* name, double time, EventHandlerPtr event, val_list* args) override { }
-	void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) override { }
-	void GotStateAccess(StateAccess* s) override { delete s; }
-	void GotTimer(Timer* t) override { }
-	void GotConnection(Connection* c) override { }
-	void GotPacket(Packet* packet) override { }
-};
-
-// Write values/events to file or fd.
-class FileSerializer : public Serializer {
-public:
-	explicit FileSerializer(SerializationFormat* format = 0);
-	~FileSerializer() override;
-
-	// Opens the file for serialization.
-	bool Open(const char* file, bool pure = false);
-	bool Close();
-
-	// Reads the file.
-	bool Read(UnserialInfo* info, const char* file, bool header = true);
-
-protected:
-	void ReportError(const char* msg) override;
-	void GotID(ID* id, Val* val) override;
-	void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args) override;
-	void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) override;
-	void GotStateAccess(StateAccess* s) override;
-	void GotTimer(Timer* t) override;
-	void GotConnection(Connection* c) override;
-	void GotPacket(Packet* packet) override;
-
-	bool OpenFile(const char* file, bool readonly, bool should_exist = false);
-	void CloseFile();
-	bool ReadFile(const char* file);
-	bool PrepareForWriting();
-	bool ReadHeader(UnserialInfo* info = 0);
-
-	SerializationCache cache;
-	const char* file;
-	int fd;
-};
-
-// Abstract interface class for external sources providing a stream of events.
-class EventSource {
-public:
-	virtual ~EventSource() { }
-
-	// Returns time of the oldest event (0 if none available).
-	virtual double NextTimestamp(double* local_network_time) = 0;
-
-	// Dispatches the oldest event and removes it.
-	virtual void DispatchNextEvent() = 0;
-
-	// Returns true if there are more events to expect from this source.
-	virtual bool IsActive() = 0;
-};
-
-// Plays a file of events back.
-class EventPlayer : public FileSerializer, public iosource::IOSource {
-public:
-	explicit EventPlayer(const char* file);
-	~EventPlayer() override;
-
-	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except) override;
-	double NextTimestamp(double* local_network_time) override;
-	void Process() override;
-	const char* Tag() override { return "EventPlayer"; }
-
-protected:
-	void GotID(ID* id, Val* val) override {}
-	void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args) override;
-	void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) override;
-
-	double stream_time;	// time of first captured event
-	double replay_time;	// network time of replay start
-
-	// Next event waiting to be dispatched.
-	double ne_time;
-	EventHandlerPtr ne_handler;
-	val_list ne_args;
-
-};
-
-extern FileSerializer* event_serializer;
-extern FileSerializer* state_serializer;
-
-#endif
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 134cca5db5..03157b1cbe 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -1,6 +1,5 @@
 #include "Val.h"
 #include "StateAccess.h"
-#include "Serializer.h"
 #include "Event.h"
 #include "NetVar.h"
 #include "DebugLogger.h"
@@ -72,7 +71,6 @@ StateAccess::StateAccess(Opcode arg_opcode,
 	}
 
 StateAccess::StateAccess(const StateAccess& sa)
-: SerialObj()
 	{
 	opcode = sa.opcode;
 	target_type = sa.target_type;
@@ -408,146 +406,6 @@ ID* StateAccess::Target() const
 	return target_type == TYPE_ID ? target.id : target.val->UniqueID();
 	}
 
-bool StateAccess::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-StateAccess* StateAccess::Unserialize(UnserialInfo* info)
-	{
-	StateAccess* sa =
-		(StateAccess*) SerialObj::Unserialize(info, SER_STATE_ACCESS);
-	return sa;
-	}
-
-IMPLEMENT_SERIAL(StateAccess, SER_STATE_ACCESS);
-
-bool StateAccess::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_STATE_ACCESS, SerialObj);
-
-	if ( ! SERIALIZE(char(opcode)) )
-		return false;
-
-	const ID* id =
-		target_type == TYPE_ID ? target.id : target.val->UniqueID();
-
-	if ( ! SERIALIZE(id->Name()) )
-		 return false;
-
-	if ( op1_type == TYPE_KEY )
-		{
-		Val* index =
-			id->ID_Val()->AsTableVal()->RecoverIndex(this->op1.key);
-
-		if ( ! index )
-			return false;
-		if ( ! index->Serialize(info) )
-			return false;
-
-		Unref(index);
-		}
-
-	else if ( ! op1.val->Serialize(info) )
-		return false;
-
-	// Don't send the "old" operand if we don't want consistency checks.
-	// Unfortunately, it depends on the opcode which operand that actually
-	// is.
-
-	const Val* null = 0;
-
-	switch ( opcode ) {
-	case OP_PRINT:
-	case OP_EXPIRE:
-	case OP_READ_IDX:
-		// No old.
-		SERIALIZE_OPTIONAL(null);
-		SERIALIZE_OPTIONAL(null);
-		break;
-
-	case OP_INCR:
-	case OP_INCR_IDX:
-		// Always need old.
-		SERIALIZE_OPTIONAL(op2);
-		SERIALIZE_OPTIONAL(op3);
-		break;
-
-	case OP_ASSIGN:
-	case OP_ADD:
-	case OP_DEL:
-		// Op2 is old.
-		SERIALIZE_OPTIONAL(null);
-		SERIALIZE_OPTIONAL(null);
-		break;
-
-	case OP_ASSIGN_IDX:
-		// Op3 is old.
-		SERIALIZE_OPTIONAL(op2);
-		SERIALIZE_OPTIONAL(null);
-		break;
-
-	default:
-		reporter->InternalError("StateAccess::DoSerialize: unknown opcode");
-	}
-
-	return true;
-	}
-
-bool StateAccess::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	char c;
-	if ( ! UNSERIALIZE(&c) )
-		return false;
-
-	opcode = Opcode(c);
-
-	const char* name;
-	if ( ! UNSERIALIZE_STR(&name, 0) )
-		return false;
-
-	target_type = TYPE_ID;
-	target.id = global_scope()->Lookup(name);
-
-	if ( target.id )
-		// Otherwise, we'll delete it below.
-		delete [] name;
-
-	op1_type = TYPE_VAL;
-	op1.val = Val::Unserialize(info);
-	if ( ! op1.val )
-		return false;
-
-	UNSERIALIZE_OPTIONAL(op2, Val::Unserialize(info));
-	UNSERIALIZE_OPTIONAL(op3, Val::Unserialize(info));
-
-	if ( target.id )
-		Ref(target.id);
-	else
-		{
-		// This may happen as long as we haven't agreed on the
-		// unique name for an ID during initial synchronization, or if
-		// the local peer has already deleted the ID.
-		DBG_LOG(DBG_STATE, "state access referenced unknown id %s", name);
-
-		if ( info->install_uniques )
-			{
-			target.id = new ID(name, SCOPE_GLOBAL, true);
-			Ref(target.id);
-			global_scope()->Insert(name, target.id);
-#ifdef USE_PERFTOOLS_DEBUG
-			heap_checker->IgnoreObject(target.id);
-#endif
-			}
-
-		delete [] name;
-		}
-
-	return true;
-	}
-
 void StateAccess::Describe(ODesc* d) const
 	{
 	const ID* id;
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 8530ec1d91..d9077fe0e2 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -7,14 +7,11 @@
 #include <map>
 #include <string>
 
-#include "SerialObj.h"
-
 class Val;
 class ID;
 class MutableVal;
 class HashKey;
 class ODesc;
-class Serializer;
 class TableVal;
 
 enum Opcode {	// Op1	Op2 Op3 (Vals)
@@ -30,7 +27,7 @@ enum Opcode {	// Op1	Op2 Op3 (Vals)
 	OP_READ_IDX,	// idx
 };
 
-class StateAccess : public SerialObj {
+class StateAccess {
 public:
 	StateAccess(Opcode opcode, const ID* target, const Val* op1,
 			const Val* op2 = 0, const Val* op3 = 0);
@@ -48,7 +45,7 @@ public:
 
 	StateAccess(const StateAccess& sa);
 
-	~StateAccess() override;
+	virtual ~StateAccess();
 
 	// Replays this access in the our environment.
 	void Replay();
@@ -58,9 +55,6 @@ public:
 
 	void Describe(ODesc* d) const;
 
-	bool Serialize(SerialInfo* info) const;
-	static StateAccess* Unserialize(UnserialInfo* info);
-
 	// Main entry point when StateAcesses are performed.
 	// For every state-changing operation, this has to be called.
 	static void Log(StateAccess* access);
@@ -76,8 +70,6 @@ private:
 
 	bool MergeTables(TableVal* dst, Val* src);
 
-	DECLARE_SERIAL(StateAccess);
-
 	Opcode opcode;
 	union {
 		ID* id;
diff --git a/src/Stmt.cc b/src/Stmt.cc
index 5bf7c47d75..3edb48c8f5 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -117,47 +117,6 @@ void Stmt::AccessStats(ODesc* d) const
 		}
 	}
 
-bool Stmt::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Stmt* Stmt::Unserialize(UnserialInfo* info, BroStmtTag want)
-	{
-	Stmt* stmt = (Stmt*) SerialObj::Unserialize(info, SER_STMT);
-
-	if ( want != STMT_ANY && stmt->tag != want )
-		{
-		info->s->Error("wrong stmt type");
-		Unref(stmt);
-		return 0;
-		}
-
-	return stmt;
-	}
-
-bool Stmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_STMT, BroObj);
-
-	return SERIALIZE(char(tag)) && SERIALIZE(last_access)
-			&& SERIALIZE(access_count);
-	}
-
-bool Stmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	char c;
-	if ( ! UNSERIALIZE(&c) )
-		return 0;
-
-	tag = BroStmtTag(c);
-
-	return UNSERIALIZE(&last_access) && UNSERIALIZE(&access_count);
-	}
-
-
 ExprListStmt::ExprListStmt(BroStmtTag t, ListExpr* arg_l)
 : Stmt(t)
 	{
@@ -207,19 +166,6 @@ void ExprListStmt::PrintVals(ODesc* d, val_list* vals, int offset) const
 	describe_vals(vals, d, offset);
 	}
 
-bool ExprListStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EXPR_LIST_STMT, Stmt);
-	return l->Serialize(info);
-	}
-
-bool ExprListStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	l = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	return l != 0;
-	}
-
 TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc = cb->PreStmt(this);
@@ -305,20 +251,6 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
 	return 0;
 	}
 
-IMPLEMENT_SERIAL(PrintStmt, SER_PRINT_STMT);
-
-bool PrintStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_PRINT_STMT, ExprListStmt);
-	return true;
-	}
-
-bool PrintStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprListStmt);
-	return true;
-	}
-
 ExprStmt::ExprStmt(Expr* arg_e) : Stmt(STMT_EXPR)
 	{
 	e = arg_e;
@@ -404,22 +336,6 @@ TraversalCode ExprStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(ExprStmt, SER_EXPR_STMT);
-
-bool ExprStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EXPR_STMT, Stmt);
-	SERIALIZE_OPTIONAL(e);
-	return true;
-	}
-
-bool ExprStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	UNSERIALIZE_OPTIONAL(e, Expr::Unserialize(info));
-	return true;
-	}
-
 IfStmt::IfStmt(Expr* test, Stmt* arg_s1, Stmt* arg_s2) : ExprStmt(STMT_IF, test)
 	{
 	s1 = arg_s1;
@@ -507,25 +423,6 @@ TraversalCode IfStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(IfStmt, SER_IF_STMT);
-
-bool IfStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_IF_STMT, ExprStmt);
-	return s1->Serialize(info) && s2->Serialize(info);
-	}
-
-bool IfStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-	s1 = Stmt::Unserialize(info);
-	if ( ! s1 )
-		return false;
-
-	s2 = Stmt::Unserialize(info);
-	return s2 != 0;
-	}
-
 static BroStmtTag get_last_stmt_tag(const Stmt* stmt)
 	{
 	if ( ! stmt )
@@ -655,67 +552,6 @@ TraversalCode Case::Traverse(TraversalCallback* cb) const
 	return TC_CONTINUE;
 	}
 
-bool Case::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Case* Case::Unserialize(UnserialInfo* info)
-	{
-	return (Case*) SerialObj::Unserialize(info, SER_CASE);
-	}
-
-IMPLEMENT_SERIAL(Case, SER_CASE);
-
-bool Case::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_CASE, BroObj);
-
-	if ( ! expr_cases->Serialize(info) )
-		return false;
-
-	id_list empty;
-	id_list* types = (type_cases ? type_cases : &empty);
-
-	if ( ! SERIALIZE(types->length()) )
-		return false;
-
-	loop_over_list((*types), i)
-		{
-		if ( ! (*types)[i]->Serialize(info) )
-			return false;
-		}
-
-	return this->s->Serialize(info);
-	}
-
-bool Case::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	expr_cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	if ( ! expr_cases )
-		return false;
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	type_cases = new id_list(len);
-
-	while ( len-- )
-		{
-		ID* id = ID::Unserialize(info);
-		if ( ! id )
-			return false;
-
-		type_cases->append(id);
-		}
-
-	this->s = Stmt::Unserialize(info);
-	return this->s != 0;
-	}
-
 static void int_del_func(void* v)
 	{
 	delete (int*) v;
@@ -1028,66 +864,6 @@ TraversalCode SwitchStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(SwitchStmt, SER_SWITCH_STMT);
-
-bool SwitchStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SWITCH_STMT, ExprStmt);
-
-	if ( ! SERIALIZE(cases->length()) )
-		return false;
-
-	loop_over_list((*cases), i)
-		if ( ! (*cases)[i]->Serialize(info) )
-			return false;
-
-	if ( ! SERIALIZE(default_case_idx) )
-		return false;
-
-	return true;
-	}
-
-bool SwitchStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-
-	Init();
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	while ( len-- )
-		{
-		Case* c = Case::Unserialize(info);
-		if ( ! c )
-			return false;
-
-		cases->append(c);
-		}
-
-	if ( ! UNSERIALIZE(&default_case_idx) )
-		return false;
-
-	loop_over_list(*cases, i)
-		{
-		const ListExpr* le = (*cases)[i]->ExprCases();
-
-		if ( ! le )
-			continue;
-
-		const expr_list& exprs = le->Exprs();
-
-		loop_over_list(exprs, j)
-			{
-			if ( ! AddCaseLabelValueMapping(exprs[j]->ExprVal(), i) )
-				return false;
-			}
-		}
-
-	return true;
-	}
-
 AddStmt::AddStmt(Expr* arg_e) : ExprStmt(STMT_ADD, arg_e)
 	{
 	if ( ! e->CanAdd() )
@@ -1121,20 +897,6 @@ TraversalCode AddStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(AddStmt, SER_ADD_STMT);
-
-bool AddStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ADD_STMT, ExprStmt);
-	return true;
-	}
-
-bool AddStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-	return true;
-	}
-
 DelStmt::DelStmt(Expr* arg_e) : ExprStmt(STMT_DELETE, arg_e)
 	{
 	if ( e->IsError() )
@@ -1170,20 +932,6 @@ TraversalCode DelStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(DelStmt, SER_DEL_STMT);
-
-bool DelStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_DEL_STMT, ExprStmt);
-	return true;
-	}
-
-bool DelStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-	return true;
-	}
-
 EventStmt::EventStmt(EventExpr* arg_e) : ExprStmt(STMT_EVENT, arg_e)
 	{
 	event_expr = arg_e;
@@ -1218,22 +966,6 @@ TraversalCode EventStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(EventStmt, SER_EVENT_STMT);
-
-bool EventStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EVENT_STMT, ExprStmt);
-	return event_expr->Serialize(info);
-	}
-
-bool EventStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-
-	event_expr = (EventExpr*) Expr::Unserialize(info, EXPR_EVENT);
-	return event_expr != 0;
-	}
-
 WhileStmt::WhileStmt(Expr* arg_loop_condition, Stmt* arg_body)
 	: loop_condition(arg_loop_condition), body(arg_body)
 	{
@@ -1319,30 +1051,6 @@ Val* WhileStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	return rval;
 	}
 
-IMPLEMENT_SERIAL(WhileStmt, SER_WHILE_STMT);
-
-bool WhileStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_WHILE_STMT, Stmt);
-
-	if ( ! loop_condition->Serialize(info) )
-		return false;
-
-	return body->Serialize(info);
-	}
-
-bool WhileStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	loop_condition = Expr::Unserialize(info);
-
-	if ( ! loop_condition )
-		return false;
-
-	body = Stmt::Unserialize(info);
-	return body != 0;
-	}
-
 ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
 : ExprStmt(STMT_FOR, loop_expr)
 	{
@@ -1607,47 +1315,6 @@ TraversalCode ForStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(ForStmt, SER_FOR_STMT);
-
-bool ForStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FOR_STMT, ExprStmt);
-
-	if ( ! SERIALIZE(loop_vars->length()) )
-		return false;
-
-	loop_over_list((*loop_vars), i)
-		{
-		if ( ! (*loop_vars)[i]->Serialize(info) )
-			return false;
-		}
-
-	return body->Serialize(info);
-	}
-
-bool ForStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	loop_vars = new id_list(len);
-
-	while ( len-- )
-		{
-		ID* id = ID::Unserialize(info);
-		if ( ! id )
-			return false;
-
-		loop_vars->append(id);
-		}
-
-	body = Stmt::Unserialize(info);
-	return body != 0;
-	}
-
 Val* NextStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
@@ -1675,20 +1342,6 @@ TraversalCode NextStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(NextStmt, SER_NEXT_STMT);
-
-bool NextStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NEXT_STMT, Stmt);
-	return true;
-	}
-
-bool NextStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	return true;
-	}
-
 Val* BreakStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
@@ -1716,20 +1369,6 @@ TraversalCode BreakStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(BreakStmt, SER_BREAK_STMT);
-
-bool BreakStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BREAK_STMT, Stmt);
-	return true;
-	}
-
-bool BreakStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	return true;
-	}
-
 Val* FallthroughStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
@@ -1757,20 +1396,6 @@ TraversalCode FallthroughStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(FallthroughStmt, SER_FALLTHROUGH_STMT);
-
-bool FallthroughStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FALLTHROUGH_STMT, Stmt);
-	return true;
-	}
-
-bool FallthroughStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	return true;
-	}
-
 ReturnStmt::ReturnStmt(Expr* arg_e) : ExprStmt(STMT_RETURN, arg_e)
 	{
 	Scope* s = current_scope();
@@ -1838,20 +1463,6 @@ void ReturnStmt::Describe(ODesc* d) const
 	DescribeDone(d);
 	}
 
-IMPLEMENT_SERIAL(ReturnStmt, SER_RETURN_STMT);
-
-bool ReturnStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RETURN_STMT, ExprStmt);
-	return true;
-	}
-
-bool ReturnStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-	return true;
-	}
-
 StmtList::StmtList() : Stmt(STMT_LIST)
 	{
 	}
@@ -1941,43 +1552,6 @@ TraversalCode StmtList::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(StmtList, SER_STMT_LIST);
-
-bool StmtList::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_STMT_LIST, Stmt);
-
-	if ( ! SERIALIZE(stmts.length()) )
-		return false;
-
-	loop_over_list(stmts, i)
-		if ( ! stmts[i]->Serialize(info) )
-			return false;
-
-	return true;
-	}
-
-bool StmtList::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	while ( len-- )
-		{
-		Stmt* stmt = Stmt::Unserialize(info);
-		if ( ! stmt )
-			return false;
-
-		stmts.append(stmt);
-		}
-
-	return true;
-	}
-
-
 Val* EventBodyList::Exec(Frame* f, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
@@ -2036,20 +1610,6 @@ void EventBodyList::Describe(ODesc* d) const
 		StmtList::Describe(d);
 	}
 
-IMPLEMENT_SERIAL(EventBodyList, SER_EVENT_BODY_LIST);
-
-bool EventBodyList::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_EVENT_BODY_LIST, StmtList);
-	return SERIALIZE(topmost);
-	}
-
-bool EventBodyList::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(StmtList);
-	return UNSERIALIZE(&topmost);
-	}
-
 InitStmt::~InitStmt()
 	{
 	loop_over_list(*inits, i)
@@ -2123,45 +1683,6 @@ TraversalCode InitStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(InitStmt, SER_INIT_STMT);
-
-bool InitStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_INIT_STMT, Stmt);
-
-	if ( ! SERIALIZE(inits->length()) )
-		return false;
-
-	loop_over_list((*inits), i)
-		{
-		if ( ! (*inits)[i]->Serialize(info) )
-			return false;
-		}
-
-	return true;
-	}
-
-bool InitStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	inits = new id_list(len);
-
-	while ( len-- )
-		{
-		ID* id = ID::Unserialize(info);
-		if ( ! id )
-			return false;
-		inits->append(id);
-		}
-	return true;
-	}
-
-
 Val* NullStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
@@ -2191,20 +1712,6 @@ TraversalCode NullStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(NullStmt, SER_NULL_STMT);
-
-bool NullStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_NULL_STMT, Stmt);
-	return true;
-	}
-
-bool NullStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-	return true;
-	}
-
 WhenStmt::WhenStmt(Expr* arg_cond, Stmt* arg_s1, Stmt* arg_s2,
 			Expr* arg_timeout, bool arg_is_return)
 : Stmt(STMT_WHEN)
@@ -2320,35 +1827,3 @@ TraversalCode WhenStmt::Traverse(TraversalCallback* cb) const
 	HANDLE_TC_STMT_POST(tc);
 	}
 
-IMPLEMENT_SERIAL(WhenStmt, SER_WHEN_STMT);
-
-bool WhenStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_WHEN_STMT, Stmt);
-
-	if ( cond->Serialize(info) && s1->Serialize(info) )
-		return false;
-
-	SERIALIZE_OPTIONAL(s2);
-	SERIALIZE_OPTIONAL(timeout);
-
-	return true;
-	}
-
-bool WhenStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Stmt);
-
-	cond = Expr::Unserialize(info);
-	if ( ! cond )
-		return false;
-
-	s1 = Stmt::Unserialize(info);
-	if ( ! s1 )
-		return false;
-
-	UNSERIALIZE_OPTIONAL(s2, Stmt::Unserialize(info));
-	UNSERIALIZE_OPTIONAL(timeout, Expr::Unserialize(info));
-
-	return true;
-	}
diff --git a/src/Stmt.h b/src/Stmt.h
index c3ee6611fe..7136ffe306 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -71,9 +71,6 @@ public:
 
 	virtual unsigned int BPCount() const	{ return breakpoint_count; }
 
-	bool Serialize(SerialInfo* info) const;
-	static Stmt* Unserialize(UnserialInfo* info, BroStmtTag want = STMT_ANY);
-
 	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
 
 protected:
@@ -83,8 +80,6 @@ protected:
 	void AddTag(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
 
-	DECLARE_ABSTRACT_SERIAL(Stmt);
-
 	BroStmtTag tag;
 	int breakpoint_count;	// how many breakpoints on this statement
 
@@ -111,8 +106,6 @@ protected:
 	void Describe(ODesc* d) const override;
 	void PrintVals(ODesc* d, val_list* vals, int offset) const;
 
-	DECLARE_ABSTRACT_SERIAL(ExprListStmt);
-
 	ListExpr* l;
 };
 
@@ -125,8 +118,6 @@ protected:
 	PrintStmt()	{}
 
 	Val* DoExec(val_list* vals, stmt_flow_type& flow) const override;
-
-	DECLARE_SERIAL(PrintStmt);
 };
 
 class ExprStmt : public Stmt {
@@ -151,8 +142,6 @@ protected:
 
 	int IsPure() const override;
 
-	DECLARE_SERIAL(ExprStmt);
-
 	Expr* e;
 };
 
@@ -175,8 +164,6 @@ protected:
 	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
 	int IsPure() const override;
 
-	DECLARE_SERIAL(IfStmt);
-
 	Stmt* s1;
 	Stmt* s2;
 };
@@ -197,17 +184,12 @@ public:
 
 	void Describe(ODesc* d) const override;
 
-	bool Serialize(SerialInfo* info) const;
-	static Case* Unserialize(UnserialInfo* info);
-
 	TraversalCode Traverse(TraversalCallback* cb) const;
 
 protected:
 	friend class Stmt;
 	Case()	{ expr_cases = 0; type_cases = 0; s = 0; }
 
-	DECLARE_SERIAL(Case);
-
 	ListExpr* expr_cases;
 	id_list* type_cases;
 	Stmt* s;
@@ -234,8 +216,6 @@ protected:
 	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
 	int IsPure() const override;
 
-	DECLARE_SERIAL(SwitchStmt);
-
 	// Initialize composite hash and case label map.
 	void Init();
 
@@ -274,8 +254,6 @@ public:
 protected:
 	friend class Stmt;
 	AddStmt()	{}
-
-	DECLARE_SERIAL(AddStmt);
 };
 
 class DelStmt : public ExprStmt {
@@ -290,8 +268,6 @@ public:
 protected:
 	friend class Stmt;
 	DelStmt()	{}
-
-	DECLARE_SERIAL(DelStmt);
 };
 
 class EventStmt : public ExprStmt {
@@ -306,8 +282,6 @@ protected:
 	friend class Stmt;
 	EventStmt()	{ event_expr = 0; }
 
-	DECLARE_SERIAL(EventStmt);
-
 	EventExpr* event_expr;
 };
 
@@ -331,8 +305,6 @@ protected:
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
-	DECLARE_SERIAL(WhileStmt);
-
 	Expr* loop_condition;
 	Stmt* body;
 };
@@ -362,8 +334,6 @@ protected:
 
 	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const override;
 
-	DECLARE_SERIAL(ForStmt);
-
 	id_list* loop_vars;
 	Stmt* body;
 	// Stores the value variable being used for a key value for loop.
@@ -383,7 +353,6 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
 protected:
-	DECLARE_SERIAL(NextStmt);
 };
 
 class BreakStmt : public Stmt {
@@ -398,7 +367,6 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
 protected:
-	DECLARE_SERIAL(BreakStmt);
 };
 
 class FallthroughStmt : public Stmt {
@@ -413,7 +381,6 @@ public:
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
 protected:
-	DECLARE_SERIAL(FallthroughStmt);
 };
 
 class ReturnStmt : public ExprStmt {
@@ -427,8 +394,6 @@ public:
 protected:
 	friend class Stmt;
 	ReturnStmt()	{}
-
-	DECLARE_SERIAL(ReturnStmt);
 };
 
 class StmtList : public Stmt {
@@ -448,8 +413,6 @@ public:
 protected:
 	int IsPure() const override;
 
-	DECLARE_SERIAL(StmtList);
-
 	stmt_list stmts;
 };
 
@@ -467,9 +430,6 @@ public:
 	// bool IsTopmost()	{ return topmost; }
 
 protected:
-
-	DECLARE_SERIAL(EventBodyList);
-
 	bool topmost;
 };
 
@@ -496,8 +456,6 @@ protected:
 	friend class Stmt;
 	InitStmt()	{ inits = 0; }
 
-	DECLARE_SERIAL(InitStmt);
-
 	id_list* inits;
 };
 
@@ -511,9 +469,6 @@ public:
 	void Describe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
-
-protected:
-	DECLARE_SERIAL(NullStmt);
 };
 
 class WhenStmt : public Stmt {
@@ -537,8 +492,6 @@ public:
 protected:
 	WhenStmt()	{ cond = 0; s1 = s2 = 0; timeout = 0; is_return = 0; }
 
-	DECLARE_SERIAL(WhenStmt);
-
 	Expr* cond;
 	Stmt* s1;
 	Stmt* s2;
diff --git a/src/Timer.cc b/src/Timer.cc
index 519ceaae1e..75858af336 100644
--- a/src/Timer.cc
+++ b/src/Timer.cc
@@ -5,7 +5,6 @@
 #include "util.h"
 #include "Timer.h"
 #include "Desc.h"
-#include "Serializer.h"
 #include "broker/Manager.h"
 
 // Names of timers in same order than in TimerType.
@@ -53,41 +52,6 @@ void Timer::Describe(ODesc* d) const
 	d->Add(Time());
 	}
 
-bool Timer::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Timer* Timer::Unserialize(UnserialInfo* info)
-	{
-	Timer* timer = (Timer*) SerialObj::Unserialize(info, SER_TIMER);
-	if ( ! timer )
-		return 0;
-
-	timer_mgr->Add(timer);
-
-	return timer;
-	}
-
-bool Timer::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TIMER, SerialObj);
-	char tmp = type;
-	return SERIALIZE(tmp) && SERIALIZE(time);
-	}
-
-bool Timer::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	char tmp;
-	if ( ! UNSERIALIZE(&tmp) )
-		return false;
-	type = tmp;
-
-	return UNSERIALIZE(&time);
-	}
-
 unsigned int TimerMgr::current_timers[NUM_TIMER_TYPES];
 
 TimerMgr::~TimerMgr()
diff --git a/src/Timer.h b/src/Timer.h
index 2ce9f56e0b..02ebb2773c 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -6,7 +6,6 @@
 #include <string>
 
 #include <string>
-#include "SerialObj.h"
 #include "PriorityQueue.h"
 
 extern "C" {
@@ -49,10 +48,9 @@ const int NUM_TIMER_TYPES = int(TIMER_TIMERMGR_EXPIRE) + 1;
 
 extern const char* timer_type_to_string(TimerType type);
 
-class Serializer;
 class ODesc;
 
-class Timer : public SerialObj, public PQ_Element {
+class Timer : public PQ_Element {
 public:
 	Timer(double t, TimerType arg_type) : PQ_Element(t)
 		{ type = (char) arg_type; }
@@ -67,14 +65,9 @@ public:
 
 	void Describe(ODesc* d) const;
 
-	bool Serialize(SerialInfo* info) const;
-	static Timer* Unserialize(UnserialInfo* info);
-
 protected:
 	Timer()	{}
 
-	DECLARE_ABSTRACT_SERIAL(Timer);
-
 	unsigned int type:8;
 };
 
diff --git a/src/Type.cc b/src/Type.cc
index 19bed81412..f252aea70f 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -6,7 +6,6 @@
 #include "Attr.h"
 #include "Expr.h"
 #include "Scope.h"
-#include "Serializer.h"
 #include "Reporter.h"
 #include "zeekygen/Manager.h"
 #include "zeekygen/utils.h"
@@ -124,25 +123,8 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 
 BroType* BroType::Clone() const
 	{
-	SerializationFormat* form = new BinarySerializationFormat();
-	form->StartWrite();
-	CloneSerializer ss(form);
-	SerialInfo sinfo(&ss);
-	sinfo.cache = false;
-
-	this->Serialize(&sinfo);
-	char* data;
-	uint32 len = form->EndWrite(&data);
-	form->StartRead(data, len);
-
-	UnserialInfo uinfo(&ss);
-	uinfo.cache = false;
-
-	BroType* rval = this->Unserialize(&uinfo, false);
-	assert(rval != this);
-
-	free(data);
-	return rval;
+	// Fixme: Johanna
+	return nullptr;
 	}
 
 int BroType::MatchesIndex(ListExpr*& index) const
@@ -203,124 +185,6 @@ unsigned int BroType::MemoryAllocation() const
 	return padded_sizeof(*this);
 	}
 
-bool BroType::Serialize(SerialInfo* info) const
-	{
-	// We always send full types (see below).
-	if ( ! SERIALIZE(true) )
-		return false;
-
-	bool ret = SerialObj::Serialize(info);
-	return ret;
-	}
-
-BroType* BroType::Unserialize(UnserialInfo* info, bool use_existing)
-	{
-	// To avoid external Broccoli clients needing to always send full type
-	// objects, we allow them to give us only the name of a type. To
-	// differentiate between the two cases, we exchange a flag first.
-	bool full_type = true;;
-	if ( ! UNSERIALIZE(&full_type) )
-		return 0;
-
-	if ( ! full_type )
-		{
-		const char* name;
-		if ( ! UNSERIALIZE_STR(&name, 0) )
-			return 0;
-
-		ID* id = global_scope()->Lookup(name);
-		if ( ! id )
-			{
-			info->s->Error(fmt("unknown type %s", name));
-			return 0;
-			}
-
-		BroType* t = id->AsType();
-		if ( ! t )
-			{
-			info->s->Error(fmt("%s is not a type", name));
-			return 0;
-			}
-
-		return t->Ref();
-		}
-
-	BroType* t = (BroType*) SerialObj::Unserialize(info, SER_BRO_TYPE);
-
-	if ( ! t || ! use_existing )
-		return t;
-
-	if ( ! t->name.empty() )
-		{
-		// Avoid creating a new type if it's known by name.
-		// Also avoids loss of base type name alias (from condition below).
-		ID* id = global_scope()->Lookup(t->name.c_str());
-		BroType* t2 = id ? id->AsType() : 0;
-
-		if ( t2 )
-			{
-			Unref(t);
-			return t2->Ref();
-			}
-		}
-
-	if ( t->base_type )
-		{
-		BroType* t2 = ::base_type(TypeTag(t->tag));
-		Unref(t);
-		assert(t2);
-		return t2;
-		}
-
-	assert(t);
-	return t;
-	}
-
-IMPLEMENT_SERIAL(BroType, SER_BRO_TYPE)
-
-bool BroType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BRO_TYPE, BroObj);
-
-	info->s->WriteOpenTag("Type");
-
-	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(char(internal_tag))) )
-		return false;
-
-	if ( ! (SERIALIZE(is_network_order) && SERIALIZE(base_type)) )
-		return false;
-
-	SERIALIZE_STR(name.c_str(), name.size());
-
-	info->s->WriteCloseTag("Type");
-
-	return true;
-	}
-
-bool BroType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	char c1, c2;
-	if ( ! (UNSERIALIZE(&c1) && UNSERIALIZE(&c2) ) )
-		return 0;
-
-	tag = (TypeTag) c1;
-	internal_tag = (InternalTypeTag) c2;
-
-	if ( ! (UNSERIALIZE(&is_network_order) && UNSERIALIZE(&base_type)) )
-		return 0;
-
-	const char* n;
-	if ( ! UNSERIALIZE_STR(&n, 0) )
-		return false;
-
-	name = n;
-	delete [] n;
-
-	return true;
-	}
-
 TypeList::~TypeList()
 	{
 	loop_over_list(types, i)
@@ -383,47 +247,6 @@ void TypeList::Describe(ODesc* d) const
 		}
 	}
 
-IMPLEMENT_SERIAL(TypeList, SER_TYPE_LIST);
-
-bool TypeList::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TYPE_LIST, BroType);
-
-	SERIALIZE_OPTIONAL(pure_type);
-
-	if ( ! SERIALIZE(types.length()) )
-		return false;
-
-	loop_over_list(types, j)
-		{
-		if ( ! types[j]->Serialize(info) )
-			return false;
-		}
-
-	return true;
-	}
-
-bool TypeList::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	UNSERIALIZE_OPTIONAL(pure_type, BroType::Unserialize(info));
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	while ( len-- )
-		{
-		BroType* t = BroType::Unserialize(info);
-		if ( ! t )
-			return false;
-
-		types.append(t);
-		}
-	return true;
-	}
-
 IndexType::~IndexType()
 	{
 	Unref(indices);
@@ -530,25 +353,6 @@ bool IndexType::IsSubNetIndex() const
 	return false;
 	}
 
-IMPLEMENT_SERIAL(IndexType, SER_INDEX_TYPE);
-
-bool IndexType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_INDEX_TYPE, BroType);
-
-	SERIALIZE_OPTIONAL(yield_type);
-	return indices->Serialize(info);
-	}
-
-bool IndexType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
-	indices = (TypeList*) BroType::Unserialize(info);
-	return indices != 0;
-	}
-
 TableType::TableType(TypeList* ind, BroType* yield)
 : IndexType(TYPE_TABLE, ind, yield)
 	{
@@ -650,43 +454,11 @@ SetType::SetType(TypeList* ind, ListExpr* arg_elements) : TableType(ind, 0)
 		}
 	}
 
-IMPLEMENT_SERIAL(TableType, SER_TABLE_TYPE);
-
-bool TableType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TABLE_TYPE, IndexType);
-	return true;
-	}
-
-bool TableType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(IndexType);
-	return true;
-	}
-
 SetType::~SetType()
 	{
 	Unref(elements);
 	}
 
-IMPLEMENT_SERIAL(SetType, SER_SET_TYPE);
-
-bool SetType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SET_TYPE, TableType);
-
-	SERIALIZE_OPTIONAL(elements);
-	return true;
-	}
-
-bool SetType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(TableType);
-
-	UNSERIALIZE_OPTIONAL(elements, (ListExpr*) Expr::Unserialize(info, EXPR_LIST));
-	return true;
-	}
-
 FuncType::FuncType(RecordType* arg_args, BroType* arg_yield, function_flavor arg_flavor)
 : BroType(TYPE_FUNC)
 	{
@@ -822,80 +594,6 @@ void FuncType::DescribeReST(ODesc* d, bool roles_only) const
 		}
 	}
 
-IMPLEMENT_SERIAL(FuncType, SER_FUNC_TYPE);
-
-bool FuncType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FUNC_TYPE, BroType);
-
-	assert(args);
-	assert(arg_types);
-
-	SERIALIZE_OPTIONAL(yield);
-
-	int ser_flavor = 0;
-
-	switch ( flavor ) {
-
-	case FUNC_FLAVOR_FUNCTION:
-		ser_flavor = 0;
-		break;
-
-	case FUNC_FLAVOR_EVENT:
-		ser_flavor = 1;
-		break;
-
-	case FUNC_FLAVOR_HOOK:
-		ser_flavor = 2;
-		break;
-
-	default:
-		reporter->InternalError("Invalid function flavor serialization");
-		break;
-	}
-
-	return args->Serialize(info) &&
-		arg_types->Serialize(info) &&
-		SERIALIZE(ser_flavor);
-	}
-
-bool FuncType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
-
-	args = (RecordType*) BroType::Unserialize(info);
-	if ( ! args )
-		return false;
-
-	arg_types = (TypeList*) BroType::Unserialize(info);
-	if ( ! arg_types )
-		return false;
-
-	int ser_flavor = 0;
-
-	if ( ! UNSERIALIZE(&ser_flavor) )
-		return false;
-
-	switch ( ser_flavor ) {
-	case 0:
-		flavor = FUNC_FLAVOR_FUNCTION;
-		break;
-	case 1:
-		flavor = FUNC_FLAVOR_EVENT;
-		break;
-	case 2:
-		flavor = FUNC_FLAVOR_HOOK;
-		break;
-	default:
-		reporter->InternalError("Invalid function flavor unserialization");
-		break;
-	}
-
-	return true;
-	}
-
 TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs, bool in_record)
 	{
 	type = t;
@@ -921,35 +619,6 @@ TypeDecl::~TypeDecl()
 	delete [] id;
 	}
 
-bool TypeDecl::Serialize(SerialInfo* info) const
-	{
-	assert(type);
-	assert(id);
-
-	SERIALIZE_OPTIONAL(attrs);
-
-	if ( ! (type->Serialize(info) && SERIALIZE(id)) )
-		return false;
-
-	return true;
-	}
-
-TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
-	{
-	TypeDecl* t = new TypeDecl(0, 0, 0);
-
-	UNSERIALIZE_OPTIONAL_STATIC(t->attrs, Attributes::Unserialize(info), t);
-	t->type = BroType::Unserialize(info);
-
-	if ( ! (t->type && UNSERIALIZE_STR(&t->id, 0)) )
-		{
-		delete t;
-		return 0;
-		}
-
-	return t;
-	}
-
 void TypeDecl::DescribeReST(ODesc* d, bool roles_only) const
 	{
 	d->Add(id);
@@ -1253,67 +922,6 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		d->PopIndentNoNL();
 	}
 
-IMPLEMENT_SERIAL(RecordType, SER_RECORD_TYPE)
-
-bool RecordType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RECORD_TYPE, BroType);
-
-	if ( ! SERIALIZE(num_fields) )
-		return false;
-
-	if ( types )
-		{
-		if ( ! (SERIALIZE(true) && SERIALIZE(types->length())) )
-			return false;
-
-		loop_over_list(*types, i)
-			{
-			if ( ! (*types)[i]->Serialize(info) )
-				return false;
-			}
-		}
-
-	else if ( ! SERIALIZE(false) )
-		return false;
-
-	return true;
-	}
-
-bool RecordType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	if ( ! UNSERIALIZE(&num_fields) )
-		return false;
-
-	bool has_it;
-	if ( ! UNSERIALIZE(&has_it) )
-		return false;
-
-	if ( has_it )
-		{
-		int len;
-		if ( ! UNSERIALIZE(&len) )
-			return false;
-
-		types = new type_decl_list(len);
-
-		while ( len-- )
-			{
-			TypeDecl* t = TypeDecl::Unserialize(info);
-			if ( ! t )
-				return false;
-
-			types->append(t);
-			}
-		}
-	else
-		types = 0;
-
-	return true;
-	}
-
 SubNetType::SubNetType() : BroType(TYPE_SUBNET)
 	{
 	}
@@ -1326,20 +934,6 @@ void SubNetType::Describe(ODesc* d) const
 		d->Add(int(Tag()));
 	}
 
-IMPLEMENT_SERIAL(SubNetType, SER_SUBNET_TYPE);
-
-bool SubNetType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SUBNET_TYPE, BroType);
-	return true;
-	}
-
-bool SubNetType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-	return true;
-	}
-
 FileType::FileType(BroType* yield_type)
 : BroType(TYPE_FILE)
 	{
@@ -1370,24 +964,6 @@ void FileType::Describe(ODesc* d) const
 		}
 	}
 
-IMPLEMENT_SERIAL(FileType, SER_FILE_TYPE);
-
-bool FileType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_FILE_TYPE, BroType);
-
-	assert(yield);
-	return yield->Serialize(info);
-	}
-
-bool FileType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	yield = BroType::Unserialize(info);
-	return yield != 0;
-	}
-
 OpaqueType::OpaqueType(const string& arg_name) : BroType(TYPE_OPAQUE)
 	{
 	name = arg_name;
@@ -1408,28 +984,6 @@ void OpaqueType::DescribeReST(ODesc* d, bool roles_only) const
 	d->Add(fmt(":zeek:type:`%s` of %s", type_name(Tag()), name.c_str()));
 	}
 
-IMPLEMENT_SERIAL(OpaqueType, SER_OPAQUE_TYPE);
-
-bool OpaqueType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_OPAQUE_TYPE, BroType);
-	return SERIALIZE_STR(name.c_str(), name.size());
-	}
-
-bool OpaqueType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	const char* n;
-	if ( ! UNSERIALIZE_STR(&n, 0) )
-		return false;
-
-	name = n;
-	delete [] n;
-
-	return true;
-	}
-
 EnumType::EnumType(const string& name)
 	: BroType(TYPE_ENUM)
 	{
@@ -1672,59 +1226,6 @@ void EnumType::DescribeReST(ODesc* d, bool roles_only) const
 		}
 	}
 
-IMPLEMENT_SERIAL(EnumType, SER_ENUM_TYPE);
-
-bool EnumType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ENUM_TYPE, BroType);
-
-	if ( ! (SERIALIZE(counter) && SERIALIZE((unsigned int) names.size()) &&
-		// Dummy boolean for backwards compatibility.
-		SERIALIZE(false)) )
-		return false;
-
-	for ( NameMap::const_iterator iter = names.begin();
-	      iter != names.end(); ++iter )
-		{
-		if ( ! SERIALIZE(iter->first) || ! SERIALIZE(iter->second) )
-			return false;
-		}
-
-	return true;
-	}
-
-bool EnumType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-
-	unsigned int len;
-	bool dummy;
-	if ( ! UNSERIALIZE(&counter) ||
-	     ! UNSERIALIZE(&len) ||
-	     // Dummy boolean for backwards compatibility.
-	     ! UNSERIALIZE(&dummy) )
-		return false;
-
-	while ( len-- )
-		{
-		const char* name;
-		bro_int_t val;
-		if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&val)) )
-			return false;
-
-		names[name] = val;
-		delete [] name; // names[name] converts to std::string
-		// note: the 'vals' map gets populated lazily, which works fine and
-		// also happens to avoid a leak due to circular reference between the
-		// types and vals (there's a special case for unserializing a known
-		// type that will unserialze and then immediately want to unref the
-		// type if we already have it, except that won't delete it as intended
-		// if we've already created circular references to it here).
-		}
-
-	return true;
-	}
-
 VectorType::VectorType(BroType* element_type)
     : BroType(TYPE_VECTOR), yield_type(element_type)
 	{
@@ -1791,21 +1292,6 @@ bool VectorType::IsUnspecifiedVector() const
 	return yield_type->Tag() == TYPE_VOID;
 	}
 
-IMPLEMENT_SERIAL(VectorType, SER_VECTOR_TYPE);
-
-bool VectorType::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_VECTOR_TYPE, BroType);
-	return yield_type->Serialize(info);
-	}
-
-bool VectorType::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroType);
-	yield_type = BroType::Unserialize(info);
-	return yield_type != 0;
-	}
-
 void VectorType::Describe(ODesc* d) const
 	{
 	if ( d->IsReadable() )
diff --git a/src/Type.h b/src/Type.h
index c537bb6203..4825feeb2f 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -72,7 +72,6 @@ class SubNetType;
 class FuncType;
 class ListExpr;
 class EnumType;
-class Serializer;
 class VectorType;
 class TypeType;
 class OpaqueType;
@@ -256,9 +255,6 @@ public:
 
 	virtual unsigned MemoryAllocation() const;
 
-	bool Serialize(SerialInfo* info) const;
-	static BroType* Unserialize(UnserialInfo* info, bool use_existing = true);
-
 	void SetName(const string& arg_name) { name = arg_name; }
 	string GetName() const { return name; }
 
@@ -275,8 +271,6 @@ protected:
 
 	void SetError();
 
-	DECLARE_SERIAL(BroType)
-
 private:
 	TypeTag tag;
 	InternalTypeTag internal_tag;
@@ -325,8 +319,6 @@ public:
 		}
 
 protected:
-	DECLARE_SERIAL(TypeList)
-
 	BroType* pure_type;
 	type_list types;
 };
@@ -356,8 +348,6 @@ protected:
 		}
 	~IndexType() override;
 
-	DECLARE_SERIAL(IndexType)
-
 	TypeList* indices;
 	BroType* yield_type;
 };
@@ -374,8 +364,6 @@ protected:
 	TableType()	{}
 
 	TypeList* ExpandRecordIndex(RecordType* rt) const;
-
-	DECLARE_SERIAL(TableType)
 };
 
 class SetType : public TableType {
@@ -389,8 +377,6 @@ protected:
 	SetType()	{}
 
 	ListExpr* elements;
-
-	DECLARE_SERIAL(SetType)
 };
 
 class FuncType : public BroType {
@@ -420,8 +406,6 @@ public:
 
 protected:
 	FuncType()	{ args = 0; arg_types = 0; yield = 0; flavor = FUNC_FLAVOR_FUNCTION; }
-	DECLARE_SERIAL(FuncType)
-
 	RecordType* args;
 	TypeList* arg_types;
 	BroType* yield;
@@ -450,9 +434,6 @@ public:
 	const Attr* FindAttr(attr_tag a) const
 		{ return attrs ? attrs->FindAttr(a) : 0; }
 
-	bool Serialize(SerialInfo* info) const;
-	static TypeDecl* Unserialize(UnserialInfo* info);
-
 	virtual void DescribeReST(ODesc* d, bool roles_only = false) const;
 
 	BroType* type;
@@ -501,8 +482,6 @@ public:
 protected:
 	RecordType() { types = 0; }
 
-	DECLARE_SERIAL(RecordType)
-
 	int num_fields;
 	type_decl_list* types;
 };
@@ -511,8 +490,6 @@ class SubNetType : public BroType {
 public:
 	SubNetType();
 	void Describe(ODesc* d) const override;
-protected:
-	DECLARE_SERIAL(SubNetType)
 };
 
 class FileType : public BroType {
@@ -527,8 +504,6 @@ public:
 protected:
 	FileType()	{ yield = 0; }
 
-	DECLARE_SERIAL(FileType)
-
 	BroType* yield;
 };
 
@@ -545,8 +520,6 @@ public:
 protected:
 	OpaqueType() { }
 
-	DECLARE_SERIAL(OpaqueType)
-
 	string name;
 };
 
@@ -582,8 +555,6 @@ public:
 protected:
 	EnumType() { counter = 0; }
 
-	DECLARE_SERIAL(EnumType)
-
 	void AddNameInternal(const string& module_name,
 			const char* name, bro_int_t val, bool is_export);
 
@@ -625,8 +596,6 @@ public:
 protected:
 	VectorType()	{ yield_type = 0; }
 
-	DECLARE_SERIAL(VectorType)
-
 	BroType* yield_type;
 };
 
diff --git a/src/Val.cc b/src/Val.cc
index 07ae251fc2..e1396035a5 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -20,7 +20,6 @@
 #include "Scope.h"
 #include "NetVar.h"
 #include "Expr.h"
-#include "Serializer.h"
 #include "PrefixTable.h"
 #include "Conn.h"
 #include "Reporter.h"
@@ -73,243 +72,8 @@ Val::~Val()
 
 Val* Val::Clone() const
 	{
-	SerializationFormat* form = new BinarySerializationFormat();
-	form->StartWrite();
-
-	CloneSerializer ss(form);
-	SerialInfo sinfo(&ss);
-	sinfo.cache = false;
-	sinfo.include_locations = false;
-
-	if ( ! this->Serialize(&sinfo) )
-		return 0;
-
-	char* data;
-	uint32 len = form->EndWrite(&data);
-	form->StartRead(data, len);
-
-	UnserialInfo uinfo(&ss);
-	uinfo.cache = false;
-	Val* clone = Unserialize(&uinfo, type);
-
-	free(data);
-	return clone;
-	}
-
-bool Val::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Val* Val::Unserialize(UnserialInfo* info, TypeTag type, const BroType* exact_type)
-	{
-	Val* v = (Val*) SerialObj::Unserialize(info, SER_VAL);
-	if ( ! v )
-		return 0;
-
-	if ( type != TYPE_ANY && (v->Type()->Tag() != type
-		|| (exact_type && ! same_type(exact_type, v->Type()))) )
-		{
-		info->s->Error("type mismatch for value");
-		Unref(v);
-		return 0;
-		}
-
-	// For MutableVals, we may get a value which, by considering the
-	// globally unique ID, we already know. To keep references correct,
-	// we have to bind to the local version. (FIXME: This is not the
-	// nicest solution.  Ideally, DoUnserialize() should be able to pass
-	// us an alternative ptr to the correct object.)
-	if ( v->IsMutableVal() )
-		{
-		MutableVal* mv = v->AsMutableVal();
-		if ( mv->HasUniqueID() )
-			{
-			ID* current =
-				global_scope()->Lookup(mv->UniqueID()->Name());
-
-			if ( current && current != mv->UniqueID() )
-				{
-				DBG_LOG(DBG_STATE, "binding to already existing ID %s\n", current->Name());
-				assert(current->ID_Val());
-
-				// Need to unset the ID here.  Otherwise,
-				// when the SerializationCache destroys
-				// the value, the global name will disappear.
-				mv->SetID(0);
-				Unref(v);
-				return current->ID_Val()->Ref();
-				}
-			}
-		}
-
-	// An enum may be bound to a different internal number remotely than we
-	// do for the same identifier. Check if this is the case, and, if yes,
-	// rebind to our value.
-	if ( v->Type()->Tag() == TYPE_ENUM )
-		{
-		int rv = v->AsEnum();
-		EnumType* rt = v->Type()->AsEnumType();
-
-		const char* name = rt->Lookup(rv);
-		if ( name )
-			{
-			// See if we know the enum locally.
-			ID* local = global_scope()->Lookup(name);
-			if ( local && local->IsEnumConst() )
-				{
-				EnumType* lt = local->Type()->AsEnumType();
-				int lv = lt->Lookup(local->ModuleName(),
-							local->Name());
-
-				// Compare.
-				if ( rv != lv )
-					{
-					// Different, so let's bind the val
-					// to the local type.
-					v->val.int_val = lv;
-					Unref(rt);
-					v->type = lt;
-					::Ref(lt);
-					}
-				}
-			}
-
-		}
-
-	return v;
-	}
-
-IMPLEMENT_SERIAL(Val, SER_VAL);
-
-bool Val::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_VAL, BroObj);
-
-	if ( ! type->Serialize(info) )
-		return false;
-
-	switch ( type->InternalType() ) {
-	case TYPE_INTERNAL_VOID:
-		info->s->Error("type is void");
-		return false;
-
-	case TYPE_INTERNAL_INT:
-		return SERIALIZE(val.int_val);
-
-	case TYPE_INTERNAL_UNSIGNED:
-		return SERIALIZE(val.uint_val);
-
-	case TYPE_INTERNAL_DOUBLE:
-		return SERIALIZE(val.double_val);
-
-	case TYPE_INTERNAL_STRING:
-		return SERIALIZE_STR((const char*) val.string_val->Bytes(),
-				val.string_val->Len());
-
-	case TYPE_INTERNAL_ADDR:
-		return SERIALIZE(*val.addr_val);
-
-	case TYPE_INTERNAL_SUBNET:
-		return SERIALIZE(*val.subnet_val);
-
-	case TYPE_INTERNAL_OTHER:
-		// Derived classes are responsible for this.
-		// Exception: Functions and files. There aren't any derived
-		// classes.
-		if ( type->Tag() == TYPE_FUNC )
-			if ( ! AsFunc()->Serialize(info) )
-				return false;
-
-		if ( type->Tag() == TYPE_FILE )
-			if ( ! AsFile()->Serialize(info) )
-				return false;
-		return true;
-
-	case TYPE_INTERNAL_ERROR:
-		info->s->Error("type is error");
-		return false;
-
-	default:
-		info->s->Error("type is out of range");
-		return false;
-	}
-
-	return false;
-	}
-
-bool Val::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BroObj);
-
-	if ( type )
-		Unref(type);
-
-	if ( ! (type = BroType::Unserialize(info)) )
-		return false;
-
-	switch ( type->InternalType() ) {
-	case TYPE_INTERNAL_VOID:
-		info->s->Error("type is void");
-		return false;
-
-	case TYPE_INTERNAL_INT:
-		return UNSERIALIZE(&val.int_val);
-
-	case TYPE_INTERNAL_UNSIGNED:
-		return UNSERIALIZE(&val.uint_val);
-
-	case TYPE_INTERNAL_DOUBLE:
-		return UNSERIALIZE(&val.double_val);
-
-	case TYPE_INTERNAL_STRING:
-		const char* str;
-		int len;
-		if ( ! UNSERIALIZE_STR(&str, &len) )
-			return false;
-
-		val.string_val = new BroString((u_char*) str, len, 1);
-		delete [] str;
-		return true;
-
-	case TYPE_INTERNAL_ADDR:
-		{
-		val.addr_val = new IPAddr();
-		return UNSERIALIZE(val.addr_val);
-		}
-
-	case TYPE_INTERNAL_SUBNET:
-		{
-		val.subnet_val = new IPPrefix();
-		return UNSERIALIZE(val.subnet_val);
-		}
-
-	case TYPE_INTERNAL_OTHER:
-		// Derived classes are responsible for this.
-		// Exception: Functions and files. There aren't any derived
-		// classes.
-		if ( type->Tag() == TYPE_FUNC )
-			{
-			val.func_val = Func::Unserialize(info);
-			return val.func_val != 0;
-			}
-		else if ( type->Tag() == TYPE_FILE )
-			{
-			val.file_val = BroFile::Unserialize(info);
-			return val.file_val != 0;
-			}
-		return true;
-
-	case TYPE_INTERNAL_ERROR:
-		info->s->Error("type is error");
-		return false;
-
-	default:
-		info->s->Error("type out of range");
-		return false;
-	}
-
-	return false;
+	// Fixme: Johanna
+	return nullptr;
 	}
 
 int Val::IsZero() const
@@ -652,61 +416,6 @@ void MutableVal::TransferUniqueID(MutableVal* mv)
 	mv->id = 0;
 	}
 
-IMPLEMENT_SERIAL(MutableVal, SER_MUTABLE_VAL);
-
-bool MutableVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_MUTABLE_VAL, Val);
-
-	if ( ! SERIALIZE(props) )
-		return false;
-
-	// Don't use ID::Serialize here, that would loop.  All we
-	// need is the name, anyway.
-	const char* name = id ? id->Name() : "";
-	if ( ! SERIALIZE(name) )
-		return false;
-
-	return true;
-	}
-
-bool MutableVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-
-	if ( ! UNSERIALIZE(&props) )
-		 return false;
-
-	id = 0;
-
-	const char* name;
-	if ( ! UNSERIALIZE_STR(&name, 0) )
-		return false;
-
-	if ( *name )
-		{
-		id = new ID(name, SCOPE_GLOBAL, true);
-		id->SetVal(this, OP_NONE, true);
-
-		ID* current = global_scope()->Lookup(name);
-		if ( ! current )
-			{
-			global_scope()->Insert(name, id);
-			DBG_LOG(DBG_STATE, "installed formerly unknown ID %s", id->Name());
-			}
-		else
-			{
-			DBG_LOG(DBG_STATE, "got already known ID %s", current->Name());
-			// This means that we already know the value and
-			// that in fact we should bind to the local value.
-			// Val::Unserialize() will take care of this.
-			}
-		}
-
-	delete [] name;
-	return true;
-	}
-
 IntervalVal::IntervalVal(double quantity, double units) :
 	Val(quantity * units, TYPE_INTERVAL)
 	{
@@ -749,20 +458,6 @@ void IntervalVal::ValDescribe(ODesc* d) const
 	DO_UNIT(Microseconds, "usec")
 	}
 
-IMPLEMENT_SERIAL(IntervalVal, SER_INTERVAL_VAL);
-
-bool IntervalVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_INTERVAL_VAL, Val);
-	return true;
-	}
-
-bool IntervalVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 PortVal* PortManager::Get(uint32 port_num) const
 	{
 	return val_mgr->GetPort(port_num);
@@ -861,20 +556,6 @@ void PortVal::ValDescribe(ODesc* d) const
 		d->Add("/unknown");
 	}
 
-IMPLEMENT_SERIAL(PortVal, SER_PORT_VAL);
-
-bool PortVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_PORT_VAL, Val);
-	return true;
-	}
-
-bool PortVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
 	{
 	val.addr_val = new IPAddr(text);
@@ -919,20 +600,6 @@ Val* AddrVal::SizeVal() const
 		return val_mgr->GetCount(128);
 	}
 
-IMPLEMENT_SERIAL(AddrVal, SER_ADDR_VAL);
-
-bool AddrVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ADDR_VAL, Val);
-	return true;
-	}
-
-bool AddrVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 SubNetVal::SubNetVal(const char* text) : Val(TYPE_SUBNET)
 	{
 	string s(text);
@@ -1043,20 +710,6 @@ bool SubNetVal::Contains(const IPAddr& addr) const
 	return val.subnet_val->Contains(a);
 	}
 
-IMPLEMENT_SERIAL(SubNetVal, SER_SUBNET_VAL);
-
-bool SubNetVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_SUBNET_VAL, Val);
-	return true;
-	}
-
-bool SubNetVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 StringVal::StringVal(BroString* s) : Val(TYPE_STRING)
 	{
 	val.string_val = s;
@@ -1099,20 +752,6 @@ unsigned int StringVal::MemoryAllocation() const
 	return padded_sizeof(*this) + val.string_val->MemoryAllocation();
 	}
 
-IMPLEMENT_SERIAL(StringVal, SER_STRING_VAL);
-
-bool StringVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_STRING_VAL, Val);
-	return true;
-	}
-
-bool StringVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 PatternVal::PatternVal(RE_Matcher* re) : Val(base_type(TYPE_PATTERN))
 	{
 	val.re_val = re;
@@ -1161,22 +800,6 @@ unsigned int PatternVal::MemoryAllocation() const
 	return padded_sizeof(*this) + val.re_val->MemoryAllocation();
 	}
 
-IMPLEMENT_SERIAL(PatternVal, SER_PATTERN_VAL);
-
-bool PatternVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_PATTERN_VAL, Val);
-	return AsPattern()->Serialize(info);
-	}
-
-bool PatternVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-
-	val.re_val = RE_Matcher::Unserialize(info);
-	return val.re_val != 0;
-	}
-
 ListVal::ListVal(TypeTag t)
 : Val(new TypeList(t == TYPE_ANY ? 0 : base_type_no_ref(t)))
 	{
@@ -1259,52 +882,6 @@ void ListVal::Describe(ODesc* d) const
 		}
 	}
 
-IMPLEMENT_SERIAL(ListVal, SER_LIST_VAL);
-
-bool ListVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_LIST_VAL, Val);
-
-	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(vals.length())) )
-		return false;
-
-	loop_over_list(vals, i)
-		{
-		if ( ! vals[i]->Serialize(info) )
-			return false;
-		}
-
-	return true;
-	}
-
-bool ListVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-
-	char t;
-	int len;
-
-	if ( ! (UNSERIALIZE(&t) && UNSERIALIZE(&len)) )
-		return false;
-
-	tag = TypeTag(t);
-
-	while ( len-- )
-		{
-		Val* v = Val::Unserialize(info, TYPE_ANY);
-		if ( ! v )
-			return false;
-
-		vals.append(v);
-		}
-
-	// Our dtor will do Unref(type) in addition to Val's dtor.
-	if ( type )
-		type->Ref();
-
-	return true;
-	}
-
 unsigned int ListVal::MemoryAllocation() const
 	{
 	unsigned int size = 0;
@@ -1580,7 +1157,6 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		delete old_entry_val;
 		}
 
-	Modified();
 	return 1;
 	}
 
@@ -2062,7 +1638,6 @@ Val* TableVal::Delete(const Val* index)
 	delete k;
 	delete v;
 
-	Modified();
 	return va;
 	}
 
@@ -2084,7 +1659,6 @@ Val* TableVal::Delete(const HashKey* k)
 	if ( LoggingAccess() )
 		StateAccess::Log(new StateAccess(OP_DEL, this, k));
 
-	Modified();
 	return va;
 	}
 
@@ -2354,7 +1928,6 @@ void TableVal::DoExpire(double t)
 			tbl->RemoveEntry(k);
 			Unref(v->Value());
 			delete v;
-			Modified();
 			}
 
 		delete k;
@@ -2477,236 +2050,6 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
 		}
 	}
 
-IMPLEMENT_SERIAL(TableVal, SER_TABLE_VAL);
-
-// This is getting rather complex due to the ability to suspend even within
-// deeply-nested values.
-bool TableVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE_WITH_SUSPEND(SER_TABLE_VAL, MutableVal);
-
-	// The current state of the serialization.
-	struct State {
-		IterCookie* c;
-		TableEntryVal* v;	// current value
-		bool did_index;	// already wrote the val's index
-	}* state = 0;
-
-	PDict(TableEntryVal)* tbl =
-		const_cast<TableVal*>(this)->AsNonConstTable();
-
-	if ( info->cont.NewInstance() )
-		{
-		// For simplicity, we disable suspension for the objects
-		// serialized here.  (In fact we know that *currently*
-		// they won't even try).
-		DisableSuspend suspend(info);
-
-		state = new State;
-		state->c = tbl->InitForIteration();
-		tbl->MakeRobustCookie(state->c);
-		state->v = 0;
-		state->did_index = false;
-		info->s->WriteOpenTag(table_type->IsSet() ? "set" : "table");
-
-		SERIALIZE_OPTIONAL(attrs);
-		SERIALIZE_OPTIONAL(expire_time);
-		SERIALIZE_OPTIONAL(expire_func);
-
-		// Make sure nobody kills us in between.
-		const_cast<TableVal*>(this)->Ref();
-		}
-
-	else if ( info->cont.ChildSuspended() )
-		state = (State*) info->cont.RestoreState();
-
-	else if ( info->cont.Resuming() )
-		{
-		info->cont.Resume();
-		state = (State*) info->cont.RestoreState();
-		}
-	else
-		reporter->InternalError("unknown continuation state");
-
-	HashKey* k = 0;
-	int count = 0;
-
-	assert((!info->cont.ChildSuspended()) || state->v);
-
-	while ( true )
-		{
-		if ( ! state->v )
-			{
-			state->v = tbl->NextEntry(k, state->c);
-			if ( ! state->c )
-				{
-				// No next one.
-				if ( ! SERIALIZE(false) )
-					{
-					delete k;
-					return false;
-					}
-
-				break;
-				}
-
-			// There's a value coming.
-			if ( ! SERIALIZE(true) )
-				{
-				delete k;
-				return false;
-				}
-
-			if ( state->v->Value() )
-				state->v->Ref();
-
-			state->did_index = false;
-			}
-
-		// Serialize index.
-		if ( k && ! state->did_index )
-			{
-			// Indices are rather small, so we disable suspension
-			// here again.
-			DisableSuspend suspend(info);
-			info->s->WriteOpenTag("key");
-			ListVal* index = table_hash->RecoverVals(k)->AsListVal();
-			delete k;
-
-			if ( ! index->Serialize(info) )
-				return false;
-
-			Unref(index);
-			info->s->WriteCloseTag("key");
-
-			state->did_index = true;
-
-			// Start serializing data.
-			if ( ! type->IsSet() )
-				info->s->WriteOpenTag("value");
-			}
-
-		if ( ! type->IsSet() )
-			{
-			info->cont.SaveState(state);
-			info->cont.SaveContext();
-			bool result = state->v->val->Serialize(info);
-			info->cont.RestoreContext();
-
-			if ( ! result )
-				return false;
-
-			if ( info->cont.ChildSuspended() )
-				return true;
-			}
-
-		double eat = state->v->ExpireAccessTime();
-
-		if ( ! (SERIALIZE(state->v->last_access_time) &&
-			SERIALIZE(eat)) )
-			return false;
-
-		info->s->WriteCloseTag("value");
-
-		if ( state->v->Value() )
-			state->v->Unref();
-		state->v = 0; // Next value.
-
-		// Suspend if we've done enough for now (which means we
-		// have serialized more than table_incremental_step entries
-		// in a row; if an entry has suspended itself in between,
-		// we start counting from 0).
-		if ( info->may_suspend && ++count > table_incremental_step)
-			{
-			info->cont.SaveState(state);
-			info->cont.Suspend();
-			reporter->Info("TableVals serialization suspended right in the middle.");
-			return true;
-			}
-		}
-
-	info->s->WriteCloseTag(table_type->IsSet() ? "set" : "table");
-	delete state;
-
-	Unref(const_cast<TableVal*>(this));
-	return true;
-	}
-
-bool TableVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(MutableVal);
-
-	Init((TableType*) type);
-
-	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
-	UNSERIALIZE_OPTIONAL(expire_time, Expr::Unserialize(info));
-	UNSERIALIZE_OPTIONAL(expire_func, Expr::Unserialize(info));
-
-	while ( true )
-		{
-		// Anymore?
-		bool next;
-		if ( ! UNSERIALIZE(&next) )
-			return false;
-
-		if ( ! next )
-			break;
-
-		// Unserialize index.
-		ListVal* index =
-			(ListVal*) Val::Unserialize(info, table_type->Indices());
-		if ( ! index )
-			return false;
-
-		// Unserialize data.
-		Val* entry;
-		if ( ! table_type->IsSet() )
-			{
-			entry = Val::Unserialize(info, type->YieldType());
-			if ( ! entry )
-				return false;
-			}
-		else
-			entry = 0;
-
-		TableEntryVal* entry_val = new TableEntryVal(entry);
-
-		double eat;
-
-		if ( ! UNSERIALIZE(&entry_val->last_access_time) ||
-		     ! UNSERIALIZE(&eat) )
-			{
-			entry_val->Unref();
-			delete entry_val;
-			return false;
-			}
-
-		entry_val->SetExpireAccess(eat);
-
-		HashKey* key = ComputeHash(index);
-		TableEntryVal* old_entry_val =
-			AsNonConstTable()->Insert(key, entry_val);
-		assert(! old_entry_val);
-
-		delete key;
-
-		if ( subnets )
-			subnets->Insert(index, entry_val);
-
-		Unref(index);
-		}
-
-	// If necessary, activate the expire timer.
-	if ( attrs )
-		{
-		CheckExpireAttr(ATTR_EXPIRE_READ);
-		CheckExpireAttr(ATTR_EXPIRE_WRITE);
-		CheckExpireAttr(ATTR_EXPIRE_CREATE);
-		}
-
-	return true;
-	}
-
 bool TableVal::AddProperties(Properties arg_props)
 	{
 	if ( ! MutableVal::AddProperties(arg_props) )
@@ -2868,7 +2211,6 @@ void RecordVal::Assign(int field, Val* new_val, Opcode op)
 		}
 
 	Unref(old_val);
-	Modified();
 	}
 
 Val* RecordVal::Lookup(int field) const
@@ -3056,61 +2398,6 @@ void RecordVal::DescribeReST(ODesc* d) const
 	d->Add("}");
 	}
 
-IMPLEMENT_SERIAL(RecordVal, SER_RECORD_VAL);
-
-bool RecordVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_RECORD_VAL, MutableVal);
-
-	// We could use the type name as a tag here.
-	info->s->WriteOpenTag("record");
-
-	// We don't need to serialize record_type as it's simply the
-	// casted table_type.
-	// FIXME: What about origin?
-
-	if ( ! SERIALIZE(val.val_list_val->length()) )
-		return false;
-
-	loop_over_list(*val.val_list_val, i)
-		{
-		info->s->WriteOpenTag(record_type->FieldName(i));
-		Val* v = (*val.val_list_val)[i];
-		SERIALIZE_OPTIONAL(v);
-		info->s->WriteCloseTag(record_type->FieldName(i));
-		}
-
-	info->s->WriteCloseTag("record");
-
-	return true;
-	}
-
-bool RecordVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(MutableVal);
-
-	record_type = (RecordType*) type;
-	origin = 0;
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		{
-		val.val_list_val = new val_list;
-		return false;
-		}
-
-	val.val_list_val = new val_list(len);
-
-	for ( int i = 0; i < len; ++i )
-		{
-		Val* v;
-		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info));
-		AsNonConstRecord()->append(v);	// correct for v==0, too.
-		}
-
-	return true;
-	}
-
 bool RecordVal::AddProperties(Properties arg_props)
 	{
 	if ( ! MutableVal::AddProperties(arg_props) )
@@ -3172,20 +2459,6 @@ void EnumVal::ValDescribe(ODesc* d) const
 	d->Add(ename);
 	}
 
-IMPLEMENT_SERIAL(EnumVal, SER_ENUM_VAL);
-
-bool EnumVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_ENUM_VAL, Val);
-	return true;
-	}
-
-bool EnumVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 VectorVal::VectorVal(VectorType* t) : MutableVal(t)
 	{
 	vector_type = t->Ref()->AsVectorType();
@@ -3262,7 +2535,6 @@ bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
 	// to do it similarly.
 	(*val.vector_val)[index] = element;
 
-	Modified();
 	return true;
 	}
 
@@ -3357,51 +2629,6 @@ bool VectorVal::RemoveProperties(Properties arg_props)
 	return true;
 	}
 
-IMPLEMENT_SERIAL(VectorVal, SER_VECTOR_VAL);
-
-bool VectorVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_VECTOR_VAL, MutableVal);
-
-	info->s->WriteOpenTag("vector");
-
-	if ( ! SERIALIZE(unsigned(val.vector_val->size())) )
-		return false;
-
-	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
-		{
-		info->s->WriteOpenTag("value");
-		Val* v = (*val.vector_val)[i];
-		SERIALIZE_OPTIONAL(v);
-		info->s->WriteCloseTag("value");
-		}
-
-	info->s->WriteCloseTag("vector");
-
-	return true;
-	}
-
-bool VectorVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(MutableVal);
-
-	val.vector_val = new vector<Val*>;
-	vector_type = type->Ref()->AsVectorType();
-
-	int len;
-	if ( ! UNSERIALIZE(&len) )
-		return false;
-
-	for ( int i = 0; i < len; ++i )
-		{
-		Val* v;
-		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY)); // accept any type
-		Assign(i, v);
-		}
-
-	return true;
-	}
-
 void VectorVal::ValDescribe(ODesc* d) const
 	{
 	d->Add("[");
@@ -3429,20 +2656,6 @@ OpaqueVal::~OpaqueVal()
 	{
 	}
 
-IMPLEMENT_SERIAL(OpaqueVal, SER_OPAQUE_VAL);
-
-bool OpaqueVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_OPAQUE_VAL, Val);
-	return true;
-	}
-
-bool OpaqueVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Val);
-	return true;
-	}
-
 Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	{
 	if ( ! v )
diff --git a/src/Val.h b/src/Val.h
index 2d915bcc6f..dc773c9922 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -20,6 +20,7 @@
 #include "Scope.h"
 #include "StateAccess.h"
 #include "IPAddr.h"
+#include "DebugLogger.h"
 
 // We have four different port name spaces: TCP, UDP, ICMP, and UNKNOWN.
 // We distinguish between them based on the bits specified in the *_PORT_MASK
@@ -36,7 +37,6 @@ class Func;
 class BroFile;
 class RE_Matcher;
 class PrefixTable;
-class SerialInfo;
 
 class PortVal;
 class AddrVal;
@@ -344,14 +344,6 @@ public:
 	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d) const;
 
-	bool Serialize(SerialInfo* info) const;
-	static Val* Unserialize(UnserialInfo* info, TypeTag type = TYPE_ANY)
-		{ return Unserialize(info, type, 0); }
-	static Val* Unserialize(UnserialInfo* info, const BroType* exact_type)
-		{ return Unserialize(info, exact_type->Tag(), exact_type); }
-
-	DECLARE_SERIAL(Val);
-
 #ifdef DEBUG
 	// For debugging, we keep a reference to the global ID to which a
 	// value has been bound *last*.
@@ -415,10 +407,6 @@ protected:
 	ACCESSOR(TYPE_TABLE, PDict(TableEntryVal)*, table_val, AsNonConstTable)
 	ACCESSOR(TYPE_RECORD, val_list*, val_list_val, AsNonConstRecord)
 
-	// Just an internal helper.
-	static Val* Unserialize(UnserialInfo* info, TypeTag type,
-			const BroType* exact_type);
-
 	BroValUnion val;
 	BroType* type;
 
@@ -544,18 +532,10 @@ public:
 #endif
 		}
 
-	uint64 LastModified() const override	{ return last_modified; }
-
-	// Mark value as changed.
-	void Modified()
-		{
-		last_modified = IncreaseTimeCounter();
-		}
-
 protected:
 	explicit MutableVal(BroType* t) : Val(t)
-		{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
-	MutableVal()	{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
+		{ props = 0; id = 0; }
+	MutableVal()	{ props = 0; id = 0; }
 	~MutableVal() override;
 
 	friend class ID;
@@ -563,8 +543,6 @@ protected:
 
 	void SetID(ID* arg_id)	{ Unref(id); id = arg_id; }
 
-	DECLARE_SERIAL(MutableVal);
-
 private:
 	ID* Bind() const;
 
@@ -589,8 +567,6 @@ protected:
 	IntervalVal()	{}
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(IntervalVal);
 };
 
 
@@ -636,8 +612,6 @@ protected:
 	PortVal(uint32 p, bool unused);
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(PortVal);
 };
 
 class AddrVal : public Val {
@@ -660,8 +634,6 @@ protected:
 	AddrVal()	{}
 	explicit AddrVal(TypeTag t) : Val(t)	{ }
 	explicit AddrVal(BroType* t) : Val(t)	{ }
-
-	DECLARE_SERIAL(AddrVal);
 };
 
 class SubNetVal : public Val {
@@ -689,8 +661,6 @@ protected:
 	SubNetVal()	{}
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(SubNetVal);
 };
 
 class StringVal : public Val {
@@ -721,8 +691,6 @@ protected:
 	StringVal()	{}
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(StringVal);
 };
 
 class PatternVal : public Val {
@@ -741,8 +709,6 @@ protected:
 	PatternVal()	{}
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(PatternVal);
 };
 
 // ListVals are mainly used to index tables that have more than one
@@ -786,8 +752,6 @@ protected:
 	friend class Val;
 	ListVal()	{}
 
-	DECLARE_SERIAL(ListVal);
-
 	val_list vals;
 	TypeTag tag;
 };
@@ -994,8 +958,6 @@ protected:
 	// Propagates a read operation if necessary.
 	void ReadOperation(Val* index, TableEntryVal *v);
 
-	DECLARE_SERIAL(TableVal);
-
 	TableType* table_type;
 	CompositeHash* table_hash;
 	Attributes* attrs;
@@ -1066,8 +1028,6 @@ protected:
 	bool AddProperties(Properties arg_state) override;
 	bool RemoveProperties(Properties arg_state) override;
 
-	DECLARE_SERIAL(RecordVal);
-
 	RecordType* record_type;
 	BroObj* origin;
 
@@ -1097,8 +1057,6 @@ protected:
 	EnumVal()	{}
 
 	void ValDescribe(ODesc* d) const override;
-
-	DECLARE_SERIAL(EnumVal);
 };
 
 
@@ -1158,8 +1116,6 @@ protected:
 	bool RemoveProperties(Properties arg_state) override;
 	void ValDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(VectorVal);
-
 	VectorType* vector_type;
 };
 
@@ -1174,8 +1130,6 @@ public:
 protected:
 	friend class Val;
 	OpaqueVal() { }
-
-	DECLARE_SERIAL(OpaqueVal);
 };
 
 // Checks the given value for consistency with the given type.  If an
diff --git a/src/Var.cc b/src/Var.cc
index 3dd3d2702b..3c056ae194 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -6,7 +6,6 @@
 #include "Func.h"
 #include "Stmt.h"
 #include "Scope.h"
-#include "Serializer.h"
 #include "EventRegistry.h"
 #include "Traverse.h"
 
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index fcd8237c55..c5d1832923 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -444,20 +444,6 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 		}
 	}
 
-IMPLEMENT_SERIAL(TCP_Reassembler, SER_TCP_REASSEMBLER);
-
-bool TCP_Reassembler::DoSerialize(SerialInfo* info) const
-	{
-	reporter->InternalError("TCP_Reassembler::DoSerialize not implemented");
-	return false; // Cannot be reached.
-	}
-
-bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
-	{
-	reporter->InternalError("TCP_Reassembler::DoUnserialize not implemented");
-	return false; // Cannot be reached.
-	}
-
 void TCP_Reassembler::Deliver(uint64 seq, int len, const u_char* data)
 	{
 	if ( type == Direct )
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index bacfa663e0..f4512e4503 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -89,8 +89,6 @@ public:
 private:
 	TCP_Reassembler()	{ }
 
-	DECLARE_SERIAL(TCP_Reassembler);
-
 	void Undelivered(uint64 up_to_seq) override;
 	void Gap(uint64 seq, uint64 len);
 
diff --git a/src/bro.bif b/src/bro.bif
index c3a9f13d56..05c72d4039 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -4886,7 +4886,7 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 	%}
 
 ## Writes the binary event stream generated by the core to a given file.
-## Use the ``-x <filename>`` command line switch to replay saved events.
+## Use the ``-R <filename>`` command line switch to replay saved events.
 ##
 ## filename: The name of the file which stores the events.
 ##
@@ -4895,32 +4895,9 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 ## .. zeek:see:: capture_state_updates
 function capture_events%(filename: string%) : bool
 	%{
-	if ( ! event_serializer )
-		event_serializer = new FileSerializer();
-	else
-		event_serializer->Close();
+	// Fixme: johanna
 
-	return val_mgr->GetBool(event_serializer->Open(
-		(const char*) filename->CheckString()));
-	%}
-
-## Writes state updates generated by :zeek:attr:`&synchronized` variables to a
-## file.
-##
-## filename: The name of the file which stores the state updates.
-##
-## Returns: True if opening the target file succeeds.
-##
-## .. zeek:see:: capture_events
-function capture_state_updates%(filename: string%) : bool
-	%{
-	if ( ! state_serializer )
-		state_serializer = new FileSerializer();
-	else
-		state_serializer->Close();
-
-	return val_mgr->GetBool(state_serializer->Open(
-		(const char*) filename->CheckString()));
+	return val_mgr->GetBool(true);
 	%}
 
 ## Checks whether the last raised event came from a remote peer.
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 849bad5d9b..63efd58d44 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -128,12 +128,8 @@ struct val_converter {
 			}
 		case TYPE_OPAQUE:
 			{
-			SerializationFormat* form = new BinarySerializationFormat();
-			form->StartRead(a.data(), a.size());
-			CloneSerializer ss(form);
-			UnserialInfo uinfo(&ss);
-			uinfo.cache = false;
-			return Val::Unserialize(&uinfo, type->Tag());
+			// Fixme: Johanna
+			return nullptr;
 			}
 		default:
 			return nullptr;
@@ -511,12 +507,8 @@ struct type_checker {
 		case TYPE_OPAQUE:
 			{
 			// TODO
-			SerializationFormat* form = new BinarySerializationFormat();
-			form->StartRead(a.data(), a.size());
-			CloneSerializer ss(form);
-			UnserialInfo uinfo(&ss);
-			uinfo.cache = false;
-			return Val::Unserialize(&uinfo, type->Tag());
+			// Fixme: johanna
+			return false;
 			}
 		default:
 			return false;
@@ -978,24 +970,10 @@ broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 		broker::vector rval = {p->PatternText(), p->AnywherePatternText()};
 		return {std::move(rval)};
 		}
-	case TYPE_OPAQUE:
-		{
-		SerializationFormat* form = new BinarySerializationFormat();
-		form->StartWrite();
-		CloneSerializer ss(form);
-		SerialInfo sinfo(&ss);
-		sinfo.cache = false;
-		sinfo.include_locations = false;
-
-		if ( ! v->Serialize(&sinfo) )
-			return broker::ec::invalid_data;
-
-		char* data;
-		uint32 len = form->EndWrite(&data);
-		string rval(data, len);
-		free(data);
-		return {std::move(rval)};
-		}
+	// Fixme: johanna
+	// case TYPE_OPAQUE:
+	//	{
+	//	}
 	default:
 		reporter->Error("unsupported Broker::Data type: %s",
 		                type_name(v->Type()->Tag()));
@@ -1131,42 +1109,6 @@ Val* bro_broker::DataVal::castTo(BroType* t)
 	return data_to_val(data, t);
 	}
 
-IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL);
-
-bool bro_broker::DataVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal);
-
-	std::string buffer;
-	caf::containerbuf<std::string> sb{buffer};
-	caf::stream_serializer<caf::containerbuf<std::string>&> serializer{sb};
-	serializer << data;
-
-	if ( ! SERIALIZE_STR(buffer.data(), buffer.size()) )
-		return false;
-
-	return true;
-	}
-
-bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	const char* serial;
-	int len;
-
-	if ( ! UNSERIALIZE_STR(&serial, &len) )
-		return false;
-
-	caf::arraybuf<char> sb{const_cast<char*>(serial), // will not write
-	                       static_cast<size_t>(len)};
-	caf::stream_deserializer<caf::arraybuf<char>&> deserializer{sb};
-	deserializer >> data;
-
-	delete [] serial;
-	return true;
-	}
-
 broker::data bro_broker::threading_field_to_data(const threading::Field* f)
 	{
 	auto name = f->name;
diff --git a/src/broker/Data.h b/src/broker/Data.h
index e2a5968a82..bf7bdd8cad 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -120,8 +120,6 @@ public:
 		return script_data_type;
 		}
 
-	DECLARE_SERIAL(DataVal);
-
 	broker::data data;
 
 protected:
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 959ef6cb9d..93202f6b46 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -18,6 +18,7 @@
 #include "logging/Manager.h"
 #include "DebugLogger.h"
 #include "iosource/Manager.h"
+#include "SerializationFormat.h"
 
 using namespace std;
 
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index 200e1b6abf..f4db09f030 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -49,48 +49,6 @@ void StoreHandleVal::ValDescribe(ODesc* d) const
 	d->Add("}");
 	}
 
-IMPLEMENT_SERIAL(StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
-
-bool StoreHandleVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal);
-
-	auto name = store.name();
-	if ( ! SERIALIZE_STR(name.data(), name.size()) )
-		return false;
-
-	return true;
-	}
-
-bool StoreHandleVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	const char* name_str;
-	int len;
-
-	if ( ! UNSERIALIZE_STR(&name_str, &len) )
-		return false;
-
-	std::string name(name_str, len);
-	delete [] name_str;
-
-	auto handle = broker_mgr->LookupStore(name);
-	if ( ! handle )
-		{
-		// Passing serialized version of store handles to other Bro processes
-		// doesn't make sense, only allow local clones of the handle val.
-		reporter->Error("failed to look up unserialized store handle %s",
-		                name.c_str());
-		return false;
-		}
-
-	store = handle->store;
-	proxy = broker::store::proxy{store};
-
-	return true;
-	}
-
 broker::backend to_backend_type(BifEnum::Broker::BackendType type)
 	{
 	switch ( type ) {
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 1df60584fd..190417d71d 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -116,8 +116,6 @@ public:
 
 	void ValDescribe(ODesc* d) const override;
 
-	DECLARE_SERIAL(StoreHandleVal);
-
 	broker::store store;
 	broker::store::proxy proxy;
 
diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc
index ba15086320..41a37c52fd 100644
--- a/src/file_analysis/FileReassembler.cc
+++ b/src/file_analysis/FileReassembler.cc
@@ -110,19 +110,4 @@ void FileReassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 	{
 	// Not doing anything here yet.
 	}
-
-IMPLEMENT_SERIAL(FileReassembler, SER_FILE_REASSEMBLER);
-
-bool FileReassembler::DoSerialize(SerialInfo* info) const
-	{
-	reporter->InternalError("FileReassembler::DoSerialize not implemented");
-	return false; // Cannot be reached.
-	}
-
-bool FileReassembler::DoUnserialize(UnserialInfo* info)
-	{
-	reporter->InternalError("FileReassembler::DoUnserialize not implemented");
-	return false; // Cannot be reached.
-	}
-
 } // end file_analysis
diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h
index c6143a5565..79aff34829 100644
--- a/src/file_analysis/FileReassembler.h
+++ b/src/file_analysis/FileReassembler.h
@@ -50,8 +50,6 @@ public:
 protected:
 	FileReassembler();
 
-	DECLARE_SERIAL(FileReassembler);
-
 	void Undelivered(uint64 up_to_seq) override;
 	void BlockInserted(DataBlock* b) override;
 	void Overlap(const u_char* b1, const u_char* b2, uint64 n) override;
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index d55931c946..9512d43260 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -28,8 +28,6 @@ X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i)
 
 using namespace file_analysis;
 
-IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
-
 #define OCSP_STRING_BUF_SIZE 2048
 
 static Val* get_ocsp_type(RecordVal* args, const char* name)
@@ -713,31 +711,3 @@ OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
 	return ocsp_resp;
 	}
 
-bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
-	unsigned char *buf = nullptr;
-	int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
-	if ( length < 0 )
-		return false;
-	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
-	OPENSSL_free(buf);
-	return res;
-	}
-
-bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal)
-
-	int length;
-	unsigned char *ocsp_resp_buf, *opensslbuf;
-
-	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
-		return false;
-	opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
-	ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
-	delete [] ocsp_resp_buf;
-	if ( ! ocsp_resp )
-		return false;
-	return true;
-	}
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index eb6499794c..9bb7b5712f 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -46,7 +46,6 @@ protected:
 	OCSP_RESPVal();
 private:
 	OCSP_RESPONSE *ocsp_resp;
-	DECLARE_SERIAL(OCSP_RESPVal);
 };
 
 }
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 524aae1f27..8b5159ca3b 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -18,8 +18,6 @@
 
 using namespace file_analysis;
 
-IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
-
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
 	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file)
 	{
@@ -482,39 +480,3 @@ X509Val::~X509Val()
 	return certificate;
 	}
 
-bool X509Val::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_X509_VAL, OpaqueVal);
-
-	unsigned char *buf = NULL;
-
-	int length = i2d_X509(certificate, &buf);
-
-	if ( length < 0 )
-		return false;
-
-	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
-
-	OPENSSL_free(buf);
-	return res;
-	}
-
-bool X509Val::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal)
-
-	int length;
-	unsigned char *certbuf, *opensslbuf;
-
-	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&certbuf), &length) )
-		return false;
-
-	opensslbuf = certbuf; // OpenSSL likes to shift pointers around. really.
-	certificate = d2i_X509(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
-	delete[] certbuf;
-
-	if ( !certificate )
-		return false;
-
-	return true;
-	}
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index a3dc62e533..72676a08be 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -144,8 +144,6 @@ protected:
 
 private:
 	::X509* certificate; // the wrapped certificate
-
-	DECLARE_SERIAL(X509Val);
 };
 
 }
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 54d1cc6f27..e2bbe99c30 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -2,8 +2,6 @@
 #include "Packet.h"
 #include "Sessions.h"
 #include "iosource/Manager.h"
-#include "SerialInfo.h"
-#include "Serializer.h"
 
 extern "C" {
 #ifdef HAVE_NET_ETHERNET_H
@@ -673,66 +671,3 @@ void Packet::Describe(ODesc* d) const
 	d->Add(ip.DstAddr());
 	}
 
-bool Packet::Serialize(SerialInfo* info) const
-	{
-	return SERIALIZE(uint32(ts.tv_sec)) &&
-		SERIALIZE(uint32(ts.tv_usec)) &&
-		SERIALIZE(uint32(len)) &&
-		SERIALIZE(link_type) &&
-		info->s->Write(tag.c_str(), tag.length(), "tag") &&
-		info->s->Write((const char*)data, cap_len, "data");
-	}
-
-#ifdef DEBUG
-static iosource::PktDumper* dump = 0;
-#endif
-
-Packet* Packet::Unserialize(UnserialInfo* info)
-	{
-	pkt_timeval ts;
-	uint32 len, link_type;
-
-	if ( ! (UNSERIALIZE((uint32 *)&ts.tv_sec) &&
-		UNSERIALIZE((uint32 *)&ts.tv_usec) &&
-		UNSERIALIZE(&len) &&
-		UNSERIALIZE(&link_type)) )
-		return 0;
-
-	char* tag;
-	if ( ! info->s->Read((char**) &tag, 0, "tag") )
-		return 0;
-
-	const u_char* pkt;
-	int caplen;
-	if ( ! info->s->Read((char**) &pkt, &caplen, "data") )
-		{
-		delete [] tag;
-		return 0;
-		}
-
-	Packet *p = new Packet(link_type, &ts, caplen, len, pkt, true,
-			       std::string(tag));
-	delete [] tag;
-
-	// For the global timer manager, we take the global network_time as the
-	// packet's timestamp for feeding it into our packet loop.
-	if ( p->tag == "" )
-		p->time = timer_mgr->Time();
-	else
-		p->time = p->ts.tv_sec + double(p->ts.tv_usec) / 1e6;
-
-#ifdef DEBUG
-	if ( debug_logger.IsEnabled(DBG_TM) )
-		{
-		if ( ! dump )
-			dump = iosource_mgr->OpenPktDumper("tm.pcap", true);
-
-		if ( dump )
-			{
-			dump->Dump(p);
-			}
-		}
-#endif
-
-	return p;
-	}
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index ec29f39ff5..3ca24cb737 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -24,12 +24,6 @@ enum Layer3Proto {
 
 /**
  * A link-layer packet.
- *
- * Note that for serialization we don't use much of the support provided by
- * the serialization framework. Serialize/Unserialize do all the work by
- * themselves. In particular, Packets aren't derived from SerialObj. They are
- * completely seperate and self-contained entities, and we don't need any of
- * the sophisticated features like object caching.
  */
 class Packet {
 public:
@@ -144,16 +138,6 @@ public:
 	 */
 	void Describe(ODesc* d) const;
 
-	/**
-	 * Serializes the packet, with standard signature.
-	 */
-	bool Serialize(SerialInfo* info) const;
-
-	/**
-	 * Unserializes the packet, with standard signature.
-	 */
-	static Packet* Unserialize(UnserialInfo* info);
-
 	/**
 	 * Maximal length of a layer 2 address.
 	 */
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 7bede8f6e6..162b19d26a 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -4,7 +4,6 @@
 
 #include "util.h"
 #include "threading/SerialTypes.h"
-#include "SerializationFormat.h"
 
 #include "Manager.h"
 #include "WriterBackend.h"
@@ -70,58 +69,6 @@ public:
 
 using namespace logging;
 
-bool WriterBackend::WriterInfo::Read(SerializationFormat* fmt)
-	{
-	int size;
-
-	string tmp_path;
-
-	if ( ! (fmt->Read(&tmp_path, "path") &&
-		fmt->Read(&rotation_base, "rotation_base") &&
-		fmt->Read(&rotation_interval, "rotation_interval") &&
-		fmt->Read(&network_time, "network_time") &&
-		fmt->Read(&size, "config_size")) )
-		return false;
-
-	path = copy_string(tmp_path.c_str());
-
-	config.clear();
-
-	while ( size-- )
-		{
-		string value;
-		string key;
-
-		if ( ! (fmt->Read(&value, "config-value") && fmt->Read(&key, "config-key")) )
-			return false;
-
-		config.insert(std::make_pair(copy_string(value.c_str()), copy_string(key.c_str())));
-		}
-
-	return true;
-	}
-
-
-bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
-	{
-	int size = config.size();
-
-	if ( ! (fmt->Write(path, "path") &&
-		fmt->Write(rotation_base, "rotation_base") &&
-		fmt->Write(rotation_interval, "rotation_interval") &&
-		fmt->Write(network_time, "network_time") &&
-		fmt->Write(size, "config_size")) )
-		return false;
-
-	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
-		{
-		if ( ! (fmt->Write(i->first, "config-value") && fmt->Write(i->second, "config-key")) )
-			return false;
-		}
-
-	return true;
-	}
-
 broker::data WriterBackend::WriterInfo::ToBroker() const
 	{
 	auto t = broker::table();
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index 187a1957d7..35cf401199 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -112,8 +112,6 @@ public:
 
 		// Note, these need to be adapted when changing the struct's
 		// fields. They serialize/deserialize the struct.
-		bool Read(SerializationFormat* fmt);
-		bool Write(SerializationFormat* fmt) const;
 		broker::data ToBroker() const;
 		bool FromBroker(broker::data d);
 
diff --git a/src/main.cc b/src/main.cc
index c9e32ab4b4..056306b077 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -38,7 +38,6 @@ extern "C" {
 #include "DFA.h"
 #include "RuleMatcher.h"
 #include "Anon.h"
-#include "Serializer.h"
 #include "EventRegistry.h"
 #include "Stats.h"
 #include "Brofiler.h"
@@ -99,9 +98,9 @@ name_list prefixes;
 Stmt* stmts;
 EventHandlerPtr net_done = 0;
 RuleMatcher* rule_matcher = 0;
-FileSerializer* event_serializer = 0;
-FileSerializer* state_serializer = 0;
-EventPlayer* event_player = 0;
+// Fixme: Johanna
+// FileSerializer* event_serializer = 0;
+// EventPlayer* event_player = 0;
 EventRegistry* event_registry = 0;
 ProfileLogger* profiling_logger = 0;
 ProfileLogger* segment_logger = 0;
@@ -171,7 +170,6 @@ void usage(int code = 1)
 	fprintf(stderr, "    -t|--tracefile <tracefile>     | activate execution tracing\n");
 	fprintf(stderr, "    -v|--version                   | print version and exit\n");
 	fprintf(stderr, "    -w|--writefile <writefile>     | write to given tcpdump file\n");
-	fprintf(stderr, "    -x|--print-state <file.bst>    | print contents of state file\n");
 #ifdef DEBUG
 	fprintf(stderr, "    -B|--debug <dbgstreams>        | Enable debugging output for selected streams ('-B help' for help)\n");
 #endif
@@ -353,8 +351,8 @@ void terminate_bro()
 
 	delete zeekygen_mgr;
 	delete timer_mgr;
-	delete event_serializer;
-	delete state_serializer;
+	// Fixme: johanna
+	// delete event_serializer;
 	delete event_registry;
 	delete analyzer_mgr;
 	delete file_mgr;
@@ -424,7 +422,6 @@ int main(int argc, char** argv)
 	name_list interfaces;
 	name_list read_files;
 	name_list rule_files;
-	char* bst_file = 0;
 	char* id_name = 0;
 	char* events_file = 0;
 	char* seed_load_file = getenv("BRO_SEED_FILE");
@@ -455,7 +452,6 @@ int main(int argc, char** argv)
 		{"tracefile",		required_argument,	0,	't'},
 		{"writefile",		required_argument,	0,	'w'},
 		{"version",		no_argument,		0,	'v'},
-		{"print-state",		required_argument,	0,	'x'},
 		{"no-checksums",	no_argument,		0,	'C'},
 		{"force-dns",		no_argument,		0,	'F'},
 		{"load-seeds",		required_argument,	0,	'G'},
@@ -578,10 +574,6 @@ int main(int argc, char** argv)
 			writefile = optarg;
 			break;
 
-		case 'x':
-			bst_file = optarg;
-			break;
-
 		case 'B':
 			debug_streams = optarg;
 			break;
@@ -744,7 +736,7 @@ int main(int argc, char** argv)
 	if ( optind == argc &&
 	     read_files.length() == 0 &&
 	     interfaces.length() == 0 &&
-	     ! (id_name || bst_file) && ! command_line_policy && ! print_plugins )
+	     ! id_name && ! command_line_policy && ! print_plugins )
 		add_input_file("-");
 
 	// Process remaining arguments. X=Y arguments indicate script
@@ -796,8 +788,9 @@ int main(int argc, char** argv)
 
 	plugin_mgr->ActivateDynamicPlugins(! bare_mode);
 
-	if ( events_file )
-		event_player = new EventPlayer(events_file);
+	// Fixme: Johanna
+	// if ( events_file )
+	//	event_player = new EventPlayer(events_file);
 
 	init_event_handlers();
 
@@ -972,19 +965,6 @@ int main(int argc, char** argv)
 		exit(0);
 		}
 
-	// Just read state file from disk.
-	if ( bst_file )
-		{
-		FileSerializer s;
-		UnserialInfo info(&s);
-		info.print = stdout;
-		info.install_uniques = true;
-		if ( ! s.Read(&info, bst_file) )
-			reporter->Error("Failed to read events from %s\n", bst_file);
-
-		exit(0);
-		}
-
 	// Print the ID.
 	if ( id_name )
 		{
diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc
index 7fa80c206b..6e09c370a4 100644
--- a/src/probabilistic/BitVector.cc
+++ b/src/probabilistic/BitVector.cc
@@ -5,7 +5,6 @@
 #include <limits>
 
 #include "BitVector.h"
-#include "Serializer.h"
 #include "digest.h"
 
 using namespace probabilistic;
@@ -539,56 +538,3 @@ BitVector::size_type BitVector::find_from(size_type i) const
 	return i * bits_per_block + lowest_bit(bits[i]);
 	}
 
-bool BitVector::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-BitVector* BitVector::Unserialize(UnserialInfo* info)
-	{
-	return reinterpret_cast<BitVector*>(SerialObj::Unserialize(info, SER_BITVECTOR));
-	}
-
-IMPLEMENT_SERIAL(BitVector, SER_BITVECTOR);
-
-bool BitVector::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BITVECTOR, SerialObj);
-
-	if ( ! SERIALIZE(static_cast<uint64>(bits.size())) )
-		return false;
-
-	for ( size_t i = 0; i < bits.size(); ++i )
-		if ( ! SERIALIZE(static_cast<uint64>(bits[i])) )
-			return false;
-
-	return SERIALIZE(static_cast<uint64>(num_bits));
-	}
-
-bool BitVector::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	uint64 size;
-	if ( ! UNSERIALIZE(&size) )
-		return false;
-
-	bits.resize(static_cast<size_t>(size));
-
-	for ( size_t i = 0; i < bits.size(); ++i )
-		{
-		uint64 block;
-		if ( ! UNSERIALIZE(&block) )
-			return false;
-
-		bits[i] = static_cast<block_type>(block);
-		}
-
-	uint64 n;
-	if ( ! UNSERIALIZE(&n) )
-		return false;
-
-	num_bits = static_cast<size_type>(n);
-
-	return true;
-	}
diff --git a/src/probabilistic/BitVector.h b/src/probabilistic/BitVector.h
index a1ff0c9ad9..a87b27e55b 100644
--- a/src/probabilistic/BitVector.h
+++ b/src/probabilistic/BitVector.h
@@ -6,16 +6,14 @@
 #include <iterator>
 #include <vector>
 
-#include "SerialObj.h"
-
 namespace probabilistic {
 
 /**
  * A vector of bits.
  */
-class BitVector : public SerialObj {
+class BitVector {
 public:
-	typedef uint64 block_type;
+	typedef uint64_t block_type;
 	typedef size_t size_type;
 	typedef bool const_reference;
 
@@ -281,28 +279,7 @@ public:
 	  *
 	  * @return The hash.
 	  */
-	uint64 Hash() const;
-
-	/**
-	 * Serializes the bit vector.
-	 *
-	 * @param info The serializaton informationt to use.
-	 *
-	 * @return True if successful.
-	 */
-	bool Serialize(SerialInfo* info) const;
-
-	/**
-	 * Unserialize the bit vector.
-	 *
-	 * @param info The serializaton informationt to use.
-	 *
-	 * @return The unserialized bit vector, or null if an error occured.
-	 */
-	static BitVector* Unserialize(UnserialInfo* info);
-
-protected:
-	DECLARE_SERIAL(BitVector);
+	uint64_t Hash() const;
 
 private:
 	/**
diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc
index ef671268b9..e12de2f049 100644
--- a/src/probabilistic/BloomFilter.cc
+++ b/src/probabilistic/BloomFilter.cc
@@ -7,9 +7,9 @@
 #include "BloomFilter.h"
 
 #include "CounterVector.h"
-#include "Serializer.h"
 
 #include "../util.h"
+#include "../Reporter.h"
 
 using namespace probabilistic;
 
@@ -28,31 +28,6 @@ BloomFilter::~BloomFilter()
 	delete hasher;
 	}
 
-bool BloomFilter::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-BloomFilter* BloomFilter::Unserialize(UnserialInfo* info)
-	{
-	return reinterpret_cast<BloomFilter*>(SerialObj::Unserialize(info, SER_BLOOMFILTER));
-	}
-
-bool BloomFilter::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BLOOMFILTER, SerialObj);
-
-	return hasher->Serialize(info);
-	}
-
-bool BloomFilter::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	hasher = Hasher::Unserialize(info);
-	return hasher != 0;
-	}
-
 size_t BasicBloomFilter::M(double fp, size_t capacity)
 	{
 	double ln2 = std::log(2);
@@ -130,21 +105,6 @@ BasicBloomFilter::~BasicBloomFilter()
 	delete bits;
 	}
 
-IMPLEMENT_SERIAL(BasicBloomFilter, SER_BASICBLOOMFILTER)
-
-bool BasicBloomFilter::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_BASICBLOOMFILTER, BloomFilter);
-	return bits->Serialize(info);
-	}
-
-bool BasicBloomFilter::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BloomFilter);
-	bits = BitVector::Unserialize(info);
-	return (bits != 0);
-	}
-
 void BasicBloomFilter::Add(const HashKey* key)
 	{
 	Hasher::digest_vector h = hasher->Hash(key);
@@ -232,21 +192,6 @@ string CountingBloomFilter::InternalState() const
 	return fmt("%" PRIu64, cells->Hash());
 	}
 
-IMPLEMENT_SERIAL(CountingBloomFilter, SER_COUNTINGBLOOMFILTER)
-
-bool CountingBloomFilter::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COUNTINGBLOOMFILTER, BloomFilter);
-	return cells->Serialize(info);
-	}
-
-bool CountingBloomFilter::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(BloomFilter);
-	cells = CounterVector::Unserialize(info);
-	return (cells != 0);
-	}
-
 // TODO: Use partitioning in add/count to allow for reusing CMS bounds.
 void CountingBloomFilter::Add(const HashKey* key)
 	{
diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h
index 288a24d416..03acfd17d6 100644
--- a/src/probabilistic/BloomFilter.h
+++ b/src/probabilistic/BloomFilter.h
@@ -14,12 +14,12 @@ class CounterVector;
 /**
  * The abstract base class for Bloom filters.
  */
-class BloomFilter : public SerialObj {
+class BloomFilter {
 public:
 	/**
 	 * Destructor.
 	 */
-	~BloomFilter() override;
+	virtual ~BloomFilter();
 
 	/**
 	 * Adds an element to the Bloom filter.
@@ -71,28 +71,7 @@ public:
 	 */
 	virtual string InternalState() const = 0;
 
-	/**
-	 * Serializes the Bloom filter.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return True if successful.
-	 */
-	bool Serialize(SerialInfo* info) const;
-
-	/**
-	 * Unserializes a Bloom filter.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return The unserialized Bloom filter, or null if an error
-	 * occured.
-	 */
-	static BloomFilter* Unserialize(UnserialInfo* info);
-
 protected:
-	DECLARE_ABSTRACT_SERIAL(BloomFilter);
-
 	/**
 	 * Default constructor.
 	 */
@@ -165,8 +144,6 @@ public:
 	string InternalState() const override;
 
 protected:
-	DECLARE_SERIAL(BasicBloomFilter);
-
 	/**
 	 * Default constructor.
 	 */
@@ -210,8 +187,6 @@ public:
 	string InternalState() const override;
 
 protected:
-	DECLARE_SERIAL(CountingBloomFilter);
-
 	/**
 	 * Default constructor.
 	 */
diff --git a/src/probabilistic/CardinalityCounter.cc b/src/probabilistic/CardinalityCounter.cc
index 64715c39fd..17caec3e0e 100644
--- a/src/probabilistic/CardinalityCounter.cc
+++ b/src/probabilistic/CardinalityCounter.cc
@@ -6,7 +6,6 @@
 
 #include "CardinalityCounter.h"
 #include "Reporter.h"
-#include "Serializer.h"
 
 using namespace probabilistic;
 
@@ -197,51 +196,6 @@ uint64_t CardinalityCounter::GetM() const
 	return m;
 	}
 
-bool CardinalityCounter::Serialize(SerialInfo* info) const
-	{
-	bool valid = true;
-
-	valid &= SERIALIZE(m);
-	valid &= SERIALIZE(V);
-	valid &= SERIALIZE(alpha_m);
-
-	for ( unsigned int i = 0; i < m; i++ )
-		valid &= SERIALIZE((char)buckets[i]);
-
-	return valid;
-	}
-
-CardinalityCounter* CardinalityCounter::Unserialize(UnserialInfo* info)
-	{
-	uint64_t m;
-	uint64_t V;
-	double alpha_m;
-
-	bool valid = true;
-	valid &= UNSERIALIZE(&m);
-	valid &= UNSERIALIZE(&V);
-	valid &= UNSERIALIZE(&alpha_m);
-
-	CardinalityCounter* c = new CardinalityCounter(m, V, alpha_m);
-
-	vector<uint8_t>& buckets = c->buckets;
-
-	for ( unsigned int i = 0; i < m; i++ )
-		{
-		char c;
-		valid &= UNSERIALIZE(&c);
-		buckets[i] = (uint8_t)c;
-		}
-
-	if ( ! valid )
-		{
-		delete c;
-		c = 0;
-		}
-
-	return c;
-	}
-
 /**
  * The following function is copied from libc/string/flsll.c from the FreeBSD source
  * tree. Original copyright message follows
diff --git a/src/probabilistic/CardinalityCounter.h b/src/probabilistic/CardinalityCounter.h
index cde2ec402b..7d898b3c47 100644
--- a/src/probabilistic/CardinalityCounter.h
+++ b/src/probabilistic/CardinalityCounter.h
@@ -84,25 +84,6 @@ public:
 	 */
 	bool Merge(CardinalityCounter* c);
 
-	/**
-	 * Serializes the cardinality counter.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return True if successful.
-	 */
-	bool Serialize(SerialInfo* info) const;
-
-	/**
-	 * Unserializes a cardinality counter.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return The unserialized cardinality counter, or null if an error
-	 * 	   occured.
-	 */
-	static CardinalityCounter* Unserialize(UnserialInfo* info);
-
 protected:
 	/**
 	 * Return the number of buckets.
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index 8608015422..1a3c98c73f 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -4,7 +4,6 @@
 
 #include <limits>
 #include "BitVector.h"
-#include "Serializer.h"
 
 using namespace probabilistic;
 
@@ -153,46 +152,8 @@ CounterVector operator|(const CounterVector& x, const CounterVector& y)
 
 }
 
-uint64 CounterVector::Hash() const
+uint64_t CounterVector::Hash() const
 	{
 	return bits->Hash();
 	}
 
-bool CounterVector::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-CounterVector* CounterVector::Unserialize(UnserialInfo* info)
-	{
-	return reinterpret_cast<CounterVector*>(SerialObj::Unserialize(info, SER_COUNTERVECTOR));
-	}
-
-IMPLEMENT_SERIAL(CounterVector, SER_COUNTERVECTOR)
-
-bool CounterVector::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_COUNTERVECTOR, SerialObj);
-
-	if ( ! bits->Serialize(info) )
-		return false;
-
-	return SERIALIZE(static_cast<uint64>(width));
-	}
-
-bool CounterVector::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	bits = BitVector::Unserialize(info);
-	if ( ! bits )
-		return false;
-
-	uint64 w;
-	if ( ! UNSERIALIZE(&w) )
-		return false;
-
-	width = static_cast<size_t>(w);
-
-	return true;
-	}
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index 422d172292..04394ebca2 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -3,7 +3,8 @@
 #ifndef PROBABILISTIC_COUNTERVECTOR_H
 #define PROBABILISTIC_COUNTERVECTOR_H
 
-#include "SerialObj.h"
+#include <cstddef>
+#include <cstdint>
 
 namespace probabilistic {
 
@@ -12,10 +13,10 @@ class BitVector;
 /**
  * A vector of counters, each of which has a fixed number of bits.
  */
-class CounterVector : public SerialObj {
+class CounterVector {
 public:
 	typedef size_t size_type;
-	typedef uint64 count_type;
+	typedef uint64_t count_type;
 
 	/**
 	 * Constructs a counter vector having cells of a given width.
@@ -38,7 +39,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~CounterVector() override;
+	virtual ~CounterVector();
 
 	/**
 	 * Increments a given cell.
@@ -131,26 +132,7 @@ public:
 	  *
 	  * @return The hash.
 	  */
-	uint64 Hash() const;
-
-	/**
-	 * Serializes the bit vector.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return True if successful.
-	 */
-	bool Serialize(SerialInfo* info) const;
-
-	/**
-	 * Unserialize the counter vector.
-	 *
-	 * @param info The serializaton information to use.
-	 *
-	 * @return The unserialized counter vector, or null if an error
-	 * occured.
-	 */
-	static CounterVector* Unserialize(UnserialInfo* info);
+	uint64_t Hash() const;
 
 protected:
 	friend CounterVector operator|(const CounterVector& x,
@@ -158,8 +140,6 @@ protected:
 
 	CounterVector() { }
 
-	DECLARE_SERIAL(CounterVector);
-
 private:
 	CounterVector& operator=(const CounterVector&); // Disable.
 
diff --git a/src/probabilistic/Hasher.cc b/src/probabilistic/Hasher.cc
index d21efbed41..8508cd01ad 100644
--- a/src/probabilistic/Hasher.cc
+++ b/src/probabilistic/Hasher.cc
@@ -5,7 +5,6 @@
 
 #include "Hasher.h"
 #include "NetVar.h"
-#include "Serializer.h"
 #include "digest.h"
 #include "siphash24.h"
 
@@ -41,52 +40,6 @@ Hasher::digest_vector Hasher::Hash(const HashKey* key) const
 	return Hash(key->Key(), key->Size());
 	}
 
-bool Hasher::Serialize(SerialInfo* info) const
-	{
-	return SerialObj::Serialize(info);
-	}
-
-Hasher* Hasher::Unserialize(UnserialInfo* info)
-	{
-	return reinterpret_cast<Hasher*>(SerialObj::Unserialize(info, SER_HASHER));
-	}
-
-bool Hasher::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_HASHER, SerialObj);
-
-	if ( ! SERIALIZE(static_cast<uint16>(k)) )
-		return false;
-
-	if ( ! SERIALIZE(static_cast<uint64>(seed.h1)) )
-		return false;
-
-	return SERIALIZE(static_cast<uint64>(seed.h2));
-	}
-
-bool Hasher::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(SerialObj);
-
-	uint16 serial_k;
-	if ( ! UNSERIALIZE(&serial_k) )
-		return false;
-
-	k = serial_k;
-	assert(k > 0);
-
-	seed_t serial_seed;
-	if ( ! UNSERIALIZE(&serial_seed.h1) )
-		return false;
-
-	if ( ! UNSERIALIZE(&serial_seed.h2) )
-		return false;
-
-	seed = serial_seed;
-
-	return true;
-	}
-
 Hasher::Hasher(size_t arg_k, seed_t arg_seed)
 	{
 	k = arg_k;
@@ -167,31 +120,6 @@ bool DefaultHasher::Equals(const Hasher* other) const
 	return hash_functions == o->hash_functions;
 	}
 
-IMPLEMENT_SERIAL(DefaultHasher, SER_DEFAULTHASHER)
-
-bool DefaultHasher::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_DEFAULTHASHER, Hasher);
-
-	// Nothing to do here, the base class has all we need serialized already.
-	return true;
-	}
-
-bool DefaultHasher::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Hasher);
-
-	hash_functions.clear();
-	for ( size_t i = 0; i < K(); ++i )
-		{
-		Hasher::seed_t s = Seed();
-		s.h1 += bro_prng(i);
-		hash_functions.push_back(UHF(s));
-		}
-
-	return true;
-	}
-
 DoubleHasher::DoubleHasher(size_t k, seed_t seed)
 	: Hasher(k, seed), h1(seed + bro_prng(1)), h2(seed + bro_prng(2))
 	{
@@ -223,22 +151,3 @@ bool DoubleHasher::Equals(const Hasher* other) const
 	return h1 == o->h1 && h2 == o->h2;
 	}
 
-IMPLEMENT_SERIAL(DoubleHasher, SER_DOUBLEHASHER)
-
-bool DoubleHasher::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_DOUBLEHASHER, Hasher);
-
-	// Nothing to do here, the base class has all we need serialized already.
-	return true;
-	}
-
-bool DoubleHasher::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(Hasher);
-
-	h1 = UHF(Seed() + bro_prng(1));
-	h2 = UHF(Seed() + bro_prng(2));
-
-	return true;
-	}
diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h
index 7fd2e4fb2f..baceb45fff 100644
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@@ -4,7 +4,6 @@
 #define PROBABILISTIC_HASHER_H
 
 #include "Hash.h"
-#include "SerialObj.h"
 
 namespace probabilistic {
 
@@ -12,7 +11,7 @@ namespace probabilistic {
  * Abstract base class for hashers. A hasher creates a family of hash
  * functions to hash an element *k* times.
  */
-class Hasher : public SerialObj {
+class Hasher {
 public:
 	typedef hash_t digest;
 	typedef std::vector<digest> digest_vector;
@@ -43,7 +42,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Hasher() override { }
+	virtual ~Hasher() { }
 
 	/**
 	 * Computes hash values for an element.
@@ -99,12 +98,7 @@ public:
 	 */
 	seed_t Seed() const	{ return seed; }
 
-	bool Serialize(SerialInfo* info) const;
-	static Hasher* Unserialize(UnserialInfo* info);
-
 protected:
-	DECLARE_ABSTRACT_SERIAL(Hasher);
-
 	Hasher() { }
 
 	/**
@@ -208,8 +202,6 @@ public:
 	DefaultHasher* Clone() const final;
 	bool Equals(const Hasher* other) const final;
 
-	DECLARE_SERIAL(DefaultHasher);
-
 private:
 	DefaultHasher() { }
 
@@ -236,8 +228,6 @@ public:
 	DoubleHasher* Clone() const final;
 	bool Equals(const Hasher* other) const final;
 
-	DECLARE_SERIAL(DoubleHasher);
-
 private:
 	DoubleHasher() { }
 
diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc
index d3d3d6a132..ca3511069a 100644
--- a/src/probabilistic/Topk.cc
+++ b/src/probabilistic/Topk.cc
@@ -3,13 +3,10 @@
 #include "probabilistic/Topk.h"
 #include "CompHash.h"
 #include "Reporter.h"
-#include "Serializer.h"
 #include "NetVar.h"
 
 namespace probabilistic {
 
-IMPLEMENT_SERIAL(TopkVal, SER_TOPK_VAL);
-
 static void topk_element_hash_delete_func(void* val)
 	{
 	Element* e = (Element*) val;
@@ -183,109 +180,6 @@ void TopkVal::Merge(const TopkVal* value, bool doPrune)
 		}
 	}
 
-bool TopkVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_TOPK_VAL, OpaqueVal);
-
-	bool v = true;
-
-	v &= SERIALIZE(size);
-	v &= SERIALIZE(numElements);
-	v &= SERIALIZE(pruned);
-
-	bool type_present = (type != 0);
-	v &= SERIALIZE(type_present);
-
-	if ( type_present )
-		v &= type->Serialize(info);
-	else
-		assert(numElements == 0);
-
-	uint64_t i = 0;
-	std::list<Bucket*>::const_iterator it = buckets.begin();
-	while ( it != buckets.end() )
-		{
-		Bucket* b = *it;
-		uint32_t elements_count = b->elements.size();
-		v &= SERIALIZE(elements_count);
-		v &= SERIALIZE(b->count);
-
-		std::list<Element*>::const_iterator eit = b->elements.begin();
-		while ( eit != b->elements.end() )
-			{
-			Element* element = *eit;
-			v &= SERIALIZE(element->epsilon);
-			v &= element->value->Serialize(info);
-
-			eit++;
-			i++;
-			}
-
-		it++;
-		}
-
-	assert(i == numElements);
-
-	return v;
-	}
-
-bool TopkVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal);
-
-	bool v = true;
-
-	v &= UNSERIALIZE(&size);
-	v &= UNSERIALIZE(&numElements);
-	v &= UNSERIALIZE(&pruned);
-
-	bool type_present = false;
-	v &= UNSERIALIZE(&type_present);
-	if ( type_present )
-		{
-		BroType* deserialized_type = BroType::Unserialize(info);
-
-		Typify(deserialized_type);
-		Unref(deserialized_type);
-		assert(type);
-		}
-	else
-		assert(numElements == 0);
-
-	uint64_t i = 0;
-	while ( i < numElements )
-		{
-		Bucket* b = new Bucket();
-		uint32_t elements_count;
-		v &= UNSERIALIZE(&elements_count);
-		v &= UNSERIALIZE(&b->count);
-		b->bucketPos = buckets.insert(buckets.end(), b);
-
-		for ( uint64_t j = 0; j < elements_count; j++ )
-			{
-			Element* e = new Element();
-			v &= UNSERIALIZE(&e->epsilon);
-			e->value = Val::Unserialize(info, type);
-			e->parent = b;
-
-			b->elements.insert(b->elements.end(), e);
-
-			HashKey* key = GetHash(e->value);
-			assert (elementDict->Lookup(key) == 0);
-
-			elementDict->Insert(key, e);
-			delete key;
-
-			i++;
-			}
-		}
-
-	assert(i == numElements);
-
-	return v;
-	}
-
-
 VectorVal* TopkVal::GetTopK(int k) const // returns vector
 	{
 	if ( numElements == 0 )
diff --git a/src/probabilistic/Topk.h b/src/probabilistic/Topk.h
index fac677a454..3d93bf90b0 100644
--- a/src/probabilistic/Topk.h
+++ b/src/probabilistic/Topk.h
@@ -161,8 +161,6 @@ private:
 	uint64 size; // how many elements are we tracking?
 	uint64 numElements; // how many elements do we have at the moment
 	bool pruned; // was this data structure pruned?
-
-	DECLARE_SERIAL(TopkVal);
 };
 
 };

From ffa173abc0f4054b3e757040f4af2c667f501a45 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 17 May 2019 11:13:04 -0700
Subject: [PATCH 04/91] Implement a Shallow Clone operation for types.

This is needed to track name changes for the documentation.

With this things, which do not need val-cloning, generally seem to work
again. There are a whole bunch of test failures at the moment.
---
 src/Type.cc | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 src/Type.h  | 31 +++++++++++++++++------
 src/Var.cc  |  2 +-
 3 files changed, 92 insertions(+), 12 deletions(-)

diff --git a/src/Type.cc b/src/Type.cc
index f252aea70f..fc0c9ef43a 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -121,9 +121,29 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 
 	}
 
-BroType* BroType::Clone() const
+BroType* BroType::ShallowClone() const
 	{
-	// Fixme: Johanna
+	switch ( tag ) {
+		case TYPE_VOID:
+		case TYPE_BOOL:
+		case TYPE_INT:
+		case TYPE_COUNT:
+		case TYPE_COUNTER:
+		case TYPE_DOUBLE:
+		case TYPE_TIME:
+		case TYPE_INTERVAL:
+		case TYPE_STRING:
+		case TYPE_PATTERN:
+		case TYPE_TIMER:
+		case TYPE_PORT:
+		case TYPE_ADDR:
+		case TYPE_SUBNET:
+		case TYPE_ANY:
+			return new BroType(tag, base_type);
+
+		default:
+			reporter->InternalError("cloning illegal base BroType");
+	}
 	return nullptr;
 	}
 
@@ -381,6 +401,16 @@ TableType::TableType(TypeList* ind, BroType* yield)
 		}
 	}
 
+TableType* TableType::ShallowClone() const
+	{
+	if ( indices )
+		indices->Ref();
+	if ( yield_type )
+		yield_type->Ref();
+
+	return new TableType(indices, yield_type);
+	}
+
 bool TableType::IsUnspecifiedTable() const
 	{
 	// Unspecified types have an empty list of indices.
@@ -488,6 +518,16 @@ FuncType::FuncType(RecordType* arg_args, BroType* arg_yield, function_flavor arg
 		}
 	}
 
+FuncType* FuncType::ShallowClone() const
+	{
+	auto f = new FuncType();
+	f->args = args->Ref()->AsRecordType();
+	f->arg_types = arg_types->Ref()->AsTypeList();
+	f->yield = yield->Ref();
+	f->flavor = flavor;
+	return f;
+	}
+
 string FuncType::FlavorString() const
 	{
 	switch ( flavor ) {
@@ -646,6 +686,16 @@ RecordType::RecordType(type_decl_list* arg_types) : BroType(TYPE_RECORD)
 	num_fields = types ? types->length() : 0;
 	}
 
+// in this case the clone is actually not so shallow, since
+// it gets modified by everyone.
+RecordType* RecordType::ShallowClone() const
+	{
+	auto pass = new type_decl_list();
+	loop_over_list(*types, i)
+		pass->append(new TypeDecl(*(*types)[i]));
+	return new RecordType(pass);
+	}
+
 RecordType::~RecordType()
 	{
 	if ( types )
@@ -991,18 +1041,26 @@ EnumType::EnumType(const string& name)
 	SetName(name);
 	}
 
-EnumType::EnumType(EnumType* e)
+EnumType::EnumType(const EnumType* e)
 	: BroType(TYPE_ENUM)
 	{
 	counter = e->counter;
 	SetName(e->GetName());
 
-	for ( NameMap::iterator it = e->names.begin(); it != e->names.end(); ++it )
+	for ( auto it = e->names.begin(); it != e->names.end(); ++it )
 		names[it->first] = it->second;
 
 	vals = e->vals;
 	}
 
+EnumType* EnumType::ShallowClone() const
+	{
+	if ( counter == 0 )
+		return new EnumType(GetName());
+
+	return new EnumType(this);
+	}
+
 EnumType::~EnumType()
 	{
 	for ( auto& kv : vals )
@@ -1231,6 +1289,11 @@ VectorType::VectorType(BroType* element_type)
 	{
 	}
 
+VectorType* VectorType::ShallowClone() const
+	{
+	return new VectorType(yield_type);
+	}
+
 VectorType::~VectorType()
 	{
 	Unref(yield_type);
diff --git a/src/Type.h b/src/Type.h
index 4825feeb2f..9af6c9c96f 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -86,7 +86,15 @@ public:
 	explicit BroType(TypeTag tag, bool base_type = false);
 	~BroType() override { }
 
-	BroType* Clone() const;
+	// Performs a shallow clone operation of the Bro type.
+	// This especially means that especially for tables the types
+	// are not recursively cloned; altering one type will in this case
+	// alter one of them.
+	// The main use for this is alias tracking.
+	// Clone operations will mostly be implemented in the derived classes;
+	// in addition cloning will be limited to classes that can be reached by
+	// the script-level.
+	virtual BroType* ShallowClone() const;
 
 	TypeTag Tag() const		{ return tag; }
 	InternalTypeTag InternalType() const	{ return internal_tag; }
@@ -107,7 +115,7 @@ public:
 	// this type is a table[string] of port, then returns the "port"
 	// type.  Returns nil if this is not an index type.
 	virtual BroType* YieldType();
-	const BroType* YieldType() const
+	virtual const BroType* YieldType() const
 		{ return ((BroType*) this)->YieldType(); }
 
 	// Returns true if this type is a record and contains the
@@ -330,7 +338,7 @@ public:
 	TypeList* Indices() const		{ return indices; }
 	const type_list* IndexTypes() const	{ return indices->Types(); }
 	BroType* YieldType() override;
-	const BroType* YieldType() const;
+	const BroType* YieldType() const override;
 
 	void Describe(ODesc* d) const override;
 	void DescribeReST(ODesc* d, bool roles_only = false) const override;
@@ -356,6 +364,8 @@ class TableType : public IndexType {
 public:
 	TableType(TypeList* ind, BroType* yield);
 
+	TableType* ShallowClone() const override;
+
 	// Returns true if this table type is "unspecified", which is
 	// what one gets using an empty "set()" or "table()" constructor.
 	bool IsUnspecifiedTable() const;
@@ -382,12 +392,13 @@ protected:
 class FuncType : public BroType {
 public:
 	FuncType(RecordType* args, BroType* yield, function_flavor f);
+	FuncType* ShallowClone() const override;
 
 	~FuncType() override;
 
 	RecordType* Args() const	{ return args; }
 	BroType* YieldType() override;
-	const BroType* YieldType() const;
+	const BroType* YieldType() const override;
 	void SetYieldType(BroType* arg_yield)	{ yield = arg_yield; }
 	function_flavor Flavor() const { return flavor; }
 	string FlavorString() const;
@@ -405,7 +416,7 @@ public:
 	void DescribeReST(ODesc* d, bool roles_only = false) const override;
 
 protected:
-	FuncType()	{ args = 0; arg_types = 0; yield = 0; flavor = FUNC_FLAVOR_FUNCTION; }
+	FuncType() : BroType(TYPE_FUNC) { args = 0; arg_types = 0; yield = 0; flavor = FUNC_FLAVOR_FUNCTION; }
 	RecordType* args;
 	TypeList* arg_types;
 	BroType* yield;
@@ -415,6 +426,7 @@ protected:
 class TypeType : public BroType {
 public:
 	explicit TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
+	TypeType* ShallowClone() const override { return new TypeType(type); }
 	~TypeType() override { Unref(type); }
 
 	BroType* Type()	{ return type; }
@@ -447,6 +459,7 @@ typedef PList(TypeDecl) type_decl_list;
 class RecordType : public BroType {
 public:
 	explicit RecordType(type_decl_list* types);
+	RecordType* ShallowClone() const override;
 
 	~RecordType() override;
 
@@ -495,6 +508,7 @@ public:
 class FileType : public BroType {
 public:
 	explicit FileType(BroType* yield_type);
+	FileType* ShallowClone() const override { return new FileType(yield->Ref()); }
 	~FileType() override;
 
 	BroType* YieldType() override;
@@ -510,6 +524,7 @@ protected:
 class OpaqueType : public BroType {
 public:
 	explicit OpaqueType(const string& name);
+	OpaqueType* ShallowClone() const override { return new OpaqueType(name); }
 	~OpaqueType() override { };
 
 	const string& Name() const { return name; }
@@ -527,8 +542,9 @@ class EnumType : public BroType {
 public:
 	typedef std::list<std::pair<string, bro_int_t> > enum_name_list;
 
-	explicit EnumType(EnumType* e);
+	explicit EnumType(const EnumType* e);
 	explicit EnumType(const string& arg_name);
+	EnumType* ShallowClone() const override;
 	~EnumType() override;
 
 	// The value of this name is next internal counter value, starting
@@ -580,9 +596,10 @@ protected:
 class VectorType : public BroType {
 public:
 	explicit VectorType(BroType* t);
+	VectorType* ShallowClone() const override;
 	~VectorType() override;
 	BroType* YieldType() override;
-	const BroType* YieldType() const;
+	const BroType* YieldType() const override;
 
 	int MatchesIndex(ListExpr*& index) const override;
 
diff --git a/src/Var.cc b/src/Var.cc
index 3c056ae194..f0cae1224c 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -273,7 +273,7 @@ void add_type(ID* id, BroType* t, attr_list* attr)
 		tnew = t;
 	else
 		// Clone the type to preserve type name aliasing.
-		tnew = t->Clone();
+		tnew = t->ShallowClone();
 
 	BroType::AddAlias(new_type_name, tnew);
 

From 38652ee8d91b3a898cc0752e10e4abecf212c768 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 May 2019 18:52:33 -0700
Subject: [PATCH 05/91] Remove test-case for removed functionality

---
 testing/btest/Baseline/bifs.capture_state_updates/out | 1 -
 testing/btest/bifs/capture_state_updates.zeek         | 9 ---------
 2 files changed, 10 deletions(-)
 delete mode 100644 testing/btest/Baseline/bifs.capture_state_updates/out
 delete mode 100644 testing/btest/bifs/capture_state_updates.zeek

diff --git a/testing/btest/Baseline/bifs.capture_state_updates/out b/testing/btest/Baseline/bifs.capture_state_updates/out
deleted file mode 100644
index 62a6e3c9df..0000000000
--- a/testing/btest/Baseline/bifs.capture_state_updates/out
+++ /dev/null
@@ -1 +0,0 @@
-T
diff --git a/testing/btest/bifs/capture_state_updates.zeek b/testing/btest/bifs/capture_state_updates.zeek
deleted file mode 100644
index b9a802a53d..0000000000
--- a/testing/btest/bifs/capture_state_updates.zeek
+++ /dev/null
@@ -1,9 +0,0 @@
-#
-# @TEST-EXEC: zeek -b %INPUT >out
-# @TEST-EXEC: btest-diff out
-# @TEST-EXEC: test -f testfile
-
-event zeek_init()
-	{
-	print capture_state_updates("testfile");
-	}

From 9f4749adce25d7069ddc12d9539bc6885d055388 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 May 2019 18:52:53 -0700
Subject: [PATCH 06/91] Remove const from ShallowClone.

It was not actually const due to Ref-ing.
---
 src/Type.cc | 12 ++++++------
 src/Type.h  | 18 +++++++++---------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/Type.cc b/src/Type.cc
index 3849eec521..ca1037a064 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -121,7 +121,7 @@ BroType::BroType(TypeTag t, bool arg_base_type)
 
 	}
 
-BroType* BroType::ShallowClone() const
+BroType* BroType::ShallowClone()
 	{
 	switch ( tag ) {
 		case TYPE_VOID:
@@ -401,7 +401,7 @@ TableType::TableType(TypeList* ind, BroType* yield)
 		}
 	}
 
-TableType* TableType::ShallowClone() const
+TableType* TableType::ShallowClone()
 	{
 	if ( indices )
 		indices->Ref();
@@ -518,7 +518,7 @@ FuncType::FuncType(RecordType* arg_args, BroType* arg_yield, function_flavor arg
 		}
 	}
 
-FuncType* FuncType::ShallowClone() const
+FuncType* FuncType::ShallowClone()
 	{
 	auto f = new FuncType();
 	f->args = args->Ref()->AsRecordType();
@@ -688,7 +688,7 @@ RecordType::RecordType(type_decl_list* arg_types) : BroType(TYPE_RECORD)
 
 // in this case the clone is actually not so shallow, since
 // it gets modified by everyone.
-RecordType* RecordType::ShallowClone() const
+RecordType* RecordType::ShallowClone()
 	{
 	auto pass = new type_decl_list();
 	loop_over_list(*types, i)
@@ -1053,7 +1053,7 @@ EnumType::EnumType(const EnumType* e)
 	vals = e->vals;
 	}
 
-EnumType* EnumType::ShallowClone() const
+EnumType* EnumType::ShallowClone()
 	{
 	if ( counter == 0 )
 		return new EnumType(GetName());
@@ -1289,7 +1289,7 @@ VectorType::VectorType(BroType* element_type)
 	{
 	}
 
-VectorType* VectorType::ShallowClone() const
+VectorType* VectorType::ShallowClone()
 	{
 	return new VectorType(yield_type);
 	}
diff --git a/src/Type.h b/src/Type.h
index 9af6c9c96f..a97f7360c8 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -94,7 +94,7 @@ public:
 	// Clone operations will mostly be implemented in the derived classes;
 	// in addition cloning will be limited to classes that can be reached by
 	// the script-level.
-	virtual BroType* ShallowClone() const;
+	virtual BroType* ShallowClone();
 
 	TypeTag Tag() const		{ return tag; }
 	InternalTypeTag InternalType() const	{ return internal_tag; }
@@ -364,7 +364,7 @@ class TableType : public IndexType {
 public:
 	TableType(TypeList* ind, BroType* yield);
 
-	TableType* ShallowClone() const override;
+	TableType* ShallowClone() override;
 
 	// Returns true if this table type is "unspecified", which is
 	// what one gets using an empty "set()" or "table()" constructor.
@@ -392,7 +392,7 @@ protected:
 class FuncType : public BroType {
 public:
 	FuncType(RecordType* args, BroType* yield, function_flavor f);
-	FuncType* ShallowClone() const override;
+	FuncType* ShallowClone() override;
 
 	~FuncType() override;
 
@@ -426,7 +426,7 @@ protected:
 class TypeType : public BroType {
 public:
 	explicit TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
-	TypeType* ShallowClone() const override { return new TypeType(type); }
+	TypeType* ShallowClone() override { return new TypeType(type); }
 	~TypeType() override { Unref(type); }
 
 	BroType* Type()	{ return type; }
@@ -459,7 +459,7 @@ typedef PList(TypeDecl) type_decl_list;
 class RecordType : public BroType {
 public:
 	explicit RecordType(type_decl_list* types);
-	RecordType* ShallowClone() const override;
+	RecordType* ShallowClone() override;
 
 	~RecordType() override;
 
@@ -508,7 +508,7 @@ public:
 class FileType : public BroType {
 public:
 	explicit FileType(BroType* yield_type);
-	FileType* ShallowClone() const override { return new FileType(yield->Ref()); }
+	FileType* ShallowClone() override { return new FileType(yield->Ref()); }
 	~FileType() override;
 
 	BroType* YieldType() override;
@@ -524,7 +524,7 @@ protected:
 class OpaqueType : public BroType {
 public:
 	explicit OpaqueType(const string& name);
-	OpaqueType* ShallowClone() const override { return new OpaqueType(name); }
+	OpaqueType* ShallowClone() override { return new OpaqueType(name); }
 	~OpaqueType() override { };
 
 	const string& Name() const { return name; }
@@ -544,7 +544,7 @@ public:
 
 	explicit EnumType(const EnumType* e);
 	explicit EnumType(const string& arg_name);
-	EnumType* ShallowClone() const override;
+	EnumType* ShallowClone() override;
 	~EnumType() override;
 
 	// The value of this name is next internal counter value, starting
@@ -596,7 +596,7 @@ protected:
 class VectorType : public BroType {
 public:
 	explicit VectorType(BroType* t);
-	VectorType* ShallowClone() const override;
+	VectorType* ShallowClone() override;
 	~VectorType() override;
 	BroType* YieldType() override;
 	const BroType* YieldType() const override;

From 5a253d355b37010eba45e7665932c7de4af727d8 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer2@gmail.com>
Date: Fri, 24 May 2019 03:32:14 -0500
Subject: [PATCH 07/91] Rename directories from bro to zeek

---
 CMakeLists.txt     | 10 +++++-----
 configure          | 10 +++++-----
 src/CMakeLists.txt |  6 +++---
 zeek-config.in     |  4 ++--
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f5edf896c0..eb830e3425 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -24,7 +24,7 @@ endif ()
 set(ZEEK_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT ZEEK_SCRIPT_INSTALL_PATH)
     # set the default Zeek script installation path (user did not specify one)
-    set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/bro)
+    set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/zeek)
 endif ()
 
 if (NOT ZEEK_MAN_INSTALL_PATH)
@@ -37,7 +37,7 @@ endif ()
 get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
 
-set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/bro/plugins CACHE STRING "Installation path for plugins" FORCE)
+set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/zeek/plugins CACHE STRING "Installation path for plugins" FORCE)
 
 configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
 
@@ -257,7 +257,7 @@ string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
                ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
 include_directories(${CMAKE_CURRENT_BINARY_DIR})
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/bro)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/zeek)
 
 if ( CAF_ROOT_DIR )
   set(ZEEK_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
@@ -281,7 +281,7 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
                ${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
 
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/zeek
         USE_SOURCE_PERMISSIONS)
 
 # Install wrapper script for Bro-to-Zeek renaming.
@@ -289,7 +289,7 @@ include(InstallShellScript)
 include(InstallSymlink)
 InstallShellScript("bin" "zeek-wrapper.in" "zeek-wrapper")
 InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro-config")
-InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/bro/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/bro/bro-config.h")
+InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/zeek/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/zeek/bro-config.h")
 
 ########################################################################
 ## Recurse on sub-directories
diff --git a/configure b/configure
index b1ea7bdff5..eb6a38f1a0 100755
--- a/configure
+++ b/configure
@@ -31,9 +31,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (useful for cross-compiling)
 
   Installation Directories:
-    --prefix=PREFIX        installation directory [/usr/local/bro]
+    --prefix=PREFIX        installation directory [/usr/local/zeek]
     --scriptdir=PATH       root installation directory for Zeek scripts
-                           [PREFIX/share/bro]
+                           [PREFIX/share/zeek]
     --localstatedir=PATH   when using ZeekControl, path to store log files
                            and run-time data (within log/ and spool/ subdirs)
                            [PREFIX]
@@ -127,12 +127,12 @@ remove_cache_entry () {
 
 # set defaults
 builddir=build
-prefix=/usr/local/bro
+prefix=/usr/local/zeek
 CMakeCacheEntries=""
 append_cache_entry CMAKE_INSTALL_PREFIX PATH   $prefix
 append_cache_entry ZEEK_ROOT_DIR        PATH   $prefix
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/zeekctl
-append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
+append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
 append_cache_entry ZEEK_ETC_INSTALL_DIR PATH   $prefix/etc
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
@@ -321,7 +321,7 @@ while [ $# -ne 0 ]; do
 done
 
 if [ "$user_set_scriptdir" != "true" ]; then
-    append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
+    append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
 fi
 
 if [ "$user_set_conffilesdir" != "true" ]; then
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 19d3799719..4176bc3c8f 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -418,7 +418,7 @@ install(CODE "
 ")
 
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
-        DESTINATION include/bro
+        DESTINATION include/zeek
         FILES_MATCHING
         PATTERN "*.h"
         PATTERN "*.pac"
@@ -426,7 +426,7 @@ install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
 )
 
 install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
-        DESTINATION include/bro
+        DESTINATION include/zeek
         FILES_MATCHING
         PATTERN "*.bif.func_h"
         PATTERN "*.bif.netvar_h"
@@ -435,5 +435,5 @@ install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
 )
 
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
-        DESTINATION include/bro/3rdparty
+        DESTINATION include/zeek/3rdparty
 )
diff --git a/zeek-config.in b/zeek-config.in
index 5afafb56ec..50d99b6645 100755
--- a/zeek-config.in
+++ b/zeek-config.in
@@ -8,8 +8,8 @@ site_dir=@ZEEK_SCRIPT_INSTALL_PATH@/site
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
 config_dir=@ZEEK_ETC_INSTALL_DIR@
 python_dir=@PY_MOD_INSTALL_DIR@
-cmake_dir=@CMAKE_INSTALL_PREFIX@/share/bro/cmake
-include_dir=@CMAKE_INSTALL_PREFIX@/include/bro
+cmake_dir=@CMAKE_INSTALL_PREFIX@/share/zeek/cmake
+include_dir=@CMAKE_INSTALL_PREFIX@/include/zeek
 zeekpath=@DEFAULT_ZEEKPATH@
 zeek_dist=@ZEEK_DIST@
 binpac_root=@ZEEK_CONFIG_BINPAC_ROOT_DIR@

From 232bee4096b29fe98c757d0c1437e48a3293bd44 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Wed, 29 May 2019 08:36:25 -0500
Subject: [PATCH 08/91] Remove old NTP analyzer.

---
 scripts/base/init-bare.zeek              |  23 -----
 src/NetVar.cc                            |   6 --
 src/NetVar.h                             |   3 -
 src/analyzer/protocol/CMakeLists.txt     |   1 -
 src/analyzer/protocol/ntp/CMakeLists.txt |   9 --
 src/analyzer/protocol/ntp/NTP.cc         | 114 -----------------------
 src/analyzer/protocol/ntp/NTP.h          |  69 --------------
 src/analyzer/protocol/ntp/Plugin.cc      |  25 -----
 src/analyzer/protocol/ntp/events.bif     |  21 -----
 9 files changed, 271 deletions(-)
 delete mode 100644 src/analyzer/protocol/ntp/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/ntp/NTP.cc
 delete mode 100644 src/analyzer/protocol/ntp/NTP.h
 delete mode 100644 src/analyzer/protocol/ntp/Plugin.cc
 delete mode 100644 src/analyzer/protocol/ntp/events.bif

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 6cfddfeb65..3f469ab340 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -1113,9 +1113,6 @@ const table_expire_delay = 0.01 secs &redef;
 ## Time to wait before timing out a DNS request.
 const dns_session_timeout = 10 sec &redef;
 
-## Time to wait before timing out an NTP request.
-const ntp_session_timeout = 300 sec &redef;
-
 ## Time to wait before timing out an RPC request.
 const rpc_timeout = 24 sec &redef;
 
@@ -2529,26 +2526,6 @@ export {
 	};
 }
 
-module GLOBAL;
-
-## An NTP message.
-##
-## .. zeek:see:: ntp_message
-type ntp_msg: record {
-	id: count;	##< Message ID.
-	code: count;	##< Message code.
-	stratum: count;	##< Stratum.
-	poll: count;	##< Poll.
-	precision: int;	##< Precision.
-	distance: interval;	##< Distance.
-	dispersion: interval;	##< Dispersion.
-	ref_t: time;	##< Reference time.
-	originate_t: time;	##< Originating time.
-	receive_t: time;	##< Receive time.
-	xmit_t: time;	##< Send time.
-};
-
-
 module NTLM;
 
 export {
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 3717f0c90f..b9230bece7 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -77,7 +77,6 @@ bool udp_content_deliver_all_orig;
 bool udp_content_deliver_all_resp;
 
 double dns_session_timeout;
-double ntp_session_timeout;
 double rpc_timeout;
 
 ListVal* skip_authentication;
@@ -103,8 +102,6 @@ TableType* pm_mappings;
 RecordType* pm_port_request;
 RecordType* pm_callit_request;
 
-RecordType* ntp_msg;
-
 RecordType* geo_location;
 
 RecordType* entropy_test_result;
@@ -360,7 +357,6 @@ void init_net_var()
 		bool(internal_val("udp_content_deliver_all_resp")->AsBool());
 
 	dns_session_timeout = opt_internal_double("dns_session_timeout");
-	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
 	rpc_timeout = opt_internal_double("rpc_timeout");
 
 	watchdog_interval = int(opt_internal_double("watchdog_interval"));
@@ -390,8 +386,6 @@ void init_net_var()
 	pm_port_request = internal_type("pm_port_request")->AsRecordType();
 	pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
 
-	ntp_msg = internal_type("ntp_msg")->AsRecordType();
-
 	geo_location = internal_type("geo_location")->AsRecordType();
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
diff --git a/src/NetVar.h b/src/NetVar.h
index 30c9003dc4..9fa4d75fa6 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -80,7 +80,6 @@ extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 
 extern double dns_session_timeout;
-extern double ntp_session_timeout;
 extern double rpc_timeout;
 
 extern ListVal* skip_authentication;
@@ -106,8 +105,6 @@ extern TableType* pm_mappings;
 extern RecordType* pm_port_request;
 extern RecordType* pm_callit_request;
 
-extern RecordType* ntp_msg;
-
 extern RecordType* geo_location;
 
 extern RecordType* entropy_test_result;
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 882ba23da9..30a86ea740 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -28,7 +28,6 @@ add_subdirectory(mysql)
 add_subdirectory(ncp)
 add_subdirectory(netbios)
 add_subdirectory(ntlm)
-add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(radius)
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
deleted file mode 100644
index a8b8bb1872..0000000000
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-
-include(BroPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-bro_plugin_begin(Bro NTP)
-bro_plugin_cc(NTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
deleted file mode 100644
index 61fd92ee84..0000000000
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ /dev/null
@@ -1,114 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek-config.h"
-
-#include "NetVar.h"
-#include "NTP.h"
-#include "Sessions.h"
-#include "Event.h"
-
-#include "events.bif.h"
-
-using namespace analyzer::ntp;
-
-NTP_Analyzer::NTP_Analyzer(Connection* conn)
-	: Analyzer("NTP", conn)
-	{
-	ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
-				network_time + ntp_session_timeout, 1,
-				TIMER_NTP_EXPIRE);
-	}
-
-void NTP_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-
-	// Actually we could just get rid of the Request/Reply and simply use
-	// the code of Message().  But for now we use it as an example of how
-	// to convert an old-style UDP analyzer.
-	if ( is_orig )
-		Request(data, len);
-	else
-		Reply(data, len);
-	}
-
-int NTP_Analyzer::Request(const u_char* data, int len)
-	{
-	Message(data, len);
-	return 1;
-	}
-
-int NTP_Analyzer::Reply(const u_char* data, int len)
-	{
-	Message(data, len);
-	return 1;
-	}
-
-void NTP_Analyzer::Message(const u_char* data, int len)
-	{
-	if ( (unsigned) len < sizeof(struct ntpdata) )
-		{
-		Weird("truncated_NTP");
-		return;
-		}
-
-	struct ntpdata* ntp_data = (struct ntpdata *) data;
-	len -= sizeof *ntp_data;
-	data += sizeof *ntp_data;
-
-	if ( ! ntp_message )
-		return;
-
-	RecordVal* msg = new RecordVal(ntp_msg);
-
-	unsigned int code = ntp_data->status & 0x7;
-
-	msg->Assign(0, val_mgr->GetCount((unsigned int) (ntohl(ntp_data->refid))));
-	msg->Assign(1, val_mgr->GetCount(code));
-	msg->Assign(2, val_mgr->GetCount((unsigned int) ntp_data->stratum));
-	msg->Assign(3, val_mgr->GetCount((unsigned int) ntp_data->ppoll));
-	msg->Assign(4, val_mgr->GetInt((unsigned int) ntp_data->precision));
-	msg->Assign(5, new Val(ShortFloat(ntp_data->distance), TYPE_INTERVAL));
-	msg->Assign(6, new Val(ShortFloat(ntp_data->dispersion), TYPE_INTERVAL));
-	msg->Assign(7, new Val(LongFloat(ntp_data->reftime), TYPE_TIME));
-	msg->Assign(8, new Val(LongFloat(ntp_data->org), TYPE_TIME));
-	msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
-	msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
-
-	ConnectionEventFast(ntp_message, {
-		BuildConnVal(),
-		msg,
-		new StringVal(new BroString(data, len, 0)),
-	});
-	}
-
-double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)
-	{
-	return ConvertToDouble(ntohs(fp.int_part), ntohs(fp.fraction), 65536.0);
-	}
-
-double NTP_Analyzer::LongFloat(struct l_fixedpt fp)
-	{
-	double t = ConvertToDouble(ntohl(fp.int_part), ntohl(fp.fraction),
-				   4294967296.0);
-
-	return t ? t - JAN_1970 : 0.0;
-	}
-
-double NTP_Analyzer::ConvertToDouble(unsigned int int_part,
-				    unsigned int fraction, double frac_base)
-	{
-	return double(int_part) + double(fraction) / frac_base;
-	}
-
-void NTP_Analyzer::ExpireTimer(double /* t */)
-	{
-	Event(connection_timeout);
-	sessions->Remove(Conn());
-	}
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
deleted file mode 100644
index 5b5d3d7baa..0000000000
--- a/src/analyzer/protocol/ntp/NTP.h
+++ /dev/null
@@ -1,69 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef ANALYZER_PROTOCOL_NTP_NTP_H
-#define ANALYZER_PROTOCOL_NTP_NTP_H
-
-#include "analyzer/protocol/udp/UDP.h"
-
-// The following are from the tcpdump distribution, credited there
-// to the U of MD implementation.
-
-#define JAN_1970	2208988800.0	/* 1970 - 1900 in seconds */
-
-namespace analyzer { namespace ntp {
-
-struct l_fixedpt {
-	unsigned int int_part;
-	unsigned int fraction;
-};
-
-struct s_fixedpt {
-	unsigned short int_part;
-	unsigned short fraction;
-};
-
-struct ntpdata {
-	unsigned char status;	/* status of local clock and leap info */
-	unsigned char stratum;	/* Stratum level */
-	unsigned char ppoll;	/* poll value */
-	int precision:8;
-	struct s_fixedpt distance;
-	struct s_fixedpt dispersion;
-	unsigned int refid;
-	struct l_fixedpt reftime;
-	struct l_fixedpt org;
-	struct l_fixedpt rec;
-	struct l_fixedpt xmt;
-};
-
-class NTP_Analyzer : public analyzer::Analyzer {
-public:
-	explicit NTP_Analyzer(Connection* conn);
-
-	static analyzer::Analyzer* Instantiate(Connection* conn)
-		{ return new NTP_Analyzer(conn); }
-
-protected:
-	void Done() override;
-	void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen) override;
-
-	int Request(const u_char* data, int len);
-	int Reply(const u_char* data, int len);
-
-	// NTP is a unidirectional protocol, so no notion of "requests"
-	// as separate from "replies".
-	void Message(const u_char* data, int len);
-
-	double ShortFloat(struct s_fixedpt fp);
-	double LongFloat(struct l_fixedpt fp);
-	double ConvertToDouble(unsigned int int_part, unsigned int fraction,
-				double frac_base);
-
-	friend class ConnectionTimer;
-	void ExpireTimer(double t);
-};
-
-} } // namespace analyzer::* 
-
-#endif
diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc
deleted file mode 100644
index 3399fbb867..0000000000
--- a/src/analyzer/protocol/ntp/Plugin.cc
+++ /dev/null
@@ -1,25 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-#include "NTP.h"
-
-namespace plugin {
-namespace Bro_NTP {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		AddComponent(new ::analyzer::Component("NTP", ::analyzer::ntp::NTP_Analyzer::Instantiate));
-
-		plugin::Configuration config;
-		config.name = "Bro::NTP";
-		config.description = "NTP analyzer";
-		return config;
-		}
-} plugin;
-
-}
-}
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
deleted file mode 100644
index d32d680799..0000000000
--- a/src/analyzer/protocol/ntp/events.bif
+++ /dev/null
@@ -1,21 +0,0 @@
-## Generated for all NTP messages. Different from many other of Bro's events,
-## this one is generated for both client-side and server-side messages.
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
-## more information about the NTP protocol.
-##
-## u: The connection record describing the corresponding UDP flow.
-##
-## msg: The parsed NTP message.
-##
-## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
-##         further parse any optional fields.
-##
-## .. zeek:see:: ntp_session_timeout
-##
-## .. todo:: Bro's current default configuration does not activate the protocol
-##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
-##    register a port for it or add a DPD payload signature.
-event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
-

From be4f6eae0eabc5ca74d867e5fadfb79db97b1a9c Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Wed, 29 May 2019 09:04:48 -0500
Subject: [PATCH 09/91] Ran binpac_quickstart for NTP (UDP, not buffered)

---
 scripts/base/init-default.zeek             |  1 +
 scripts/base/protocols/ntp/__load__.zeek   |  3 ++
 scripts/base/protocols/ntp/dpd.sig         | 14 ++++++
 scripts/base/protocols/ntp/main.zeek       | 53 ++++++++++++++++++++++
 src/analyzer/protocol/CMakeLists.txt       |  3 +-
 src/analyzer/protocol/ntp/CMakeLists.txt   | 11 +++++
 src/analyzer/protocol/ntp/NTP.cc           | 45 ++++++++++++++++++
 src/analyzer/protocol/ntp/NTP.h            | 40 ++++++++++++++++
 src/analyzer/protocol/ntp/Plugin.cc        | 25 ++++++++++
 src/analyzer/protocol/ntp/events.bif       | 14 ++++++
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 13 ++++++
 src/analyzer/protocol/ntp/ntp-protocol.pac | 19 ++++++++
 src/analyzer/protocol/ntp/ntp.pac          | 41 +++++++++++++++++
 13 files changed, 281 insertions(+), 1 deletion(-)
 create mode 100644 scripts/base/protocols/ntp/__load__.zeek
 create mode 100644 scripts/base/protocols/ntp/dpd.sig
 create mode 100644 scripts/base/protocols/ntp/main.zeek
 create mode 100644 src/analyzer/protocol/ntp/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/ntp/NTP.cc
 create mode 100644 src/analyzer/protocol/ntp/NTP.h
 create mode 100644 src/analyzer/protocol/ntp/Plugin.cc
 create mode 100644 src/analyzer/protocol/ntp/events.bif
 create mode 100644 src/analyzer/protocol/ntp/ntp-analyzer.pac
 create mode 100644 src/analyzer/protocol/ntp/ntp-protocol.pac
 create mode 100644 src/analyzer/protocol/ntp/ntp.pac

diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek
index d8115895dc..5630440e48 100644
--- a/scripts/base/init-default.zeek
+++ b/scripts/base/init-default.zeek
@@ -56,6 +56,7 @@
 @load base/protocols/modbus
 @load base/protocols/mysql
 @load base/protocols/ntlm
+@load base/protocols/ntp
 @load base/protocols/pop3
 @load base/protocols/radius
 @load base/protocols/rdp
diff --git a/scripts/base/protocols/ntp/__load__.zeek b/scripts/base/protocols/ntp/__load__.zeek
new file mode 100644
index 0000000000..9e43682d13
--- /dev/null
+++ b/scripts/base/protocols/ntp/__load__.zeek
@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig
\ No newline at end of file
diff --git a/scripts/base/protocols/ntp/dpd.sig b/scripts/base/protocols/ntp/dpd.sig
new file mode 100644
index 0000000000..2eb583c6c9
--- /dev/null
+++ b/scripts/base/protocols/ntp/dpd.sig
@@ -0,0 +1,14 @@
+# Generated by binpac_quickstart
+
+signature dpd_ntp {
+	
+	ip-proto == udp
+	
+
+	# ## TODO: Define the payload. When Bro sees this regex, on
+	# ## any port, it will enable your analyzer on that
+	# ## connection.
+	# ## payload /^NTP/
+
+	enable "ntp"
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
new file mode 100644
index 0000000000..74cfa44e77
--- /dev/null
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -0,0 +1,53 @@
+##! Implements base functionality for NTP analysis.
+##! Generates the Ntp.log file.
+
+# Generated by binpac_quickstart
+
+module Ntp;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+		
+		# ## TODO: Add other fields here that you'd like to log.
+	};
+
+	## Event that can be handled to access the NTP record as it is sent on
+	## to the loggin framework.
+	global log_ntp: event(rec: Info);
+}
+
+# TODO: The recommended method to do dynamic protocol detection
+# (DPD) is with the signatures in dpd.sig. If you can't come up
+# with any signatures, then you can do port-based detection by
+# uncommenting the following and specifying the port(s):
+
+# const ports = { 1234/udp, 5678/udp };
+
+
+# redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
+
+	# TODO: If you're using port-based DPD, uncomment this.
+	# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	}
+
+event ntp_event(c: connection)
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+
+	Log::write(Ntp::LOG, info);
+	}
\ No newline at end of file
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 30a86ea740..8ebded627b 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -28,6 +28,7 @@ add_subdirectory(mysql)
 add_subdirectory(ncp)
 add_subdirectory(netbios)
 add_subdirectory(ntlm)
+add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(radius)
@@ -35,9 +36,9 @@ add_subdirectory(rdp)
 add_subdirectory(rfb)
 add_subdirectory(rpc)
 add_subdirectory(sip)
-add_subdirectory(snmp)
 add_subdirectory(smb)
 add_subdirectory(smtp)
+add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
 add_subdirectory(ssl)
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
new file mode 100644
index 0000000000..b42e467af5
--- /dev/null
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -0,0 +1,11 @@
+# Generated by binpac_quickstart
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro NTP)
+	bro_plugin_cc(NTP.cc Plugin.cc)
+	bro_plugin_bif(events.bif)
+	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-protocol.pac)
+bro_plugin_end()
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
new file mode 100644
index 0000000000..6918578a02
--- /dev/null
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -0,0 +1,45 @@
+// Generated by binpac_quickstart
+
+#include "NTP.h"
+
+#include "Reporter.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::NTP;
+
+NTP_Analyzer::NTP_Analyzer(Connection* c)
+
+: analyzer::Analyzer("NTP", c)
+
+	{
+	interp = new binpac::NTP::NTP_Conn(this);
+	
+	}
+
+NTP_Analyzer::~NTP_Analyzer()
+	{
+	delete interp;
+	}
+
+void NTP_Analyzer::Done()
+	{
+	
+	Analyzer::Done();
+	
+	}
+
+void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
+	 			  bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
new file mode 100644
index 0000000000..8850addfd1
--- /dev/null
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -0,0 +1,40 @@
+// Generated by binpac_quickstart
+
+#ifndef ANALYZER_PROTOCOL_NTP_NTP_H
+#define ANALYZER_PROTOCOL_NTP_NTP_H
+
+#include "events.bif.h"
+
+
+#include "analyzer/protocol/udp/UDP.h"
+
+#include "ntp_pac.h"
+
+namespace analyzer { namespace NTP {
+
+class NTP_Analyzer
+
+: public analyzer::Analyzer {
+
+public:
+	NTP_Analyzer(Connection* conn);
+	virtual ~NTP_Analyzer();
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen);
+	
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NTP_Analyzer(conn); }
+
+protected:
+	binpac::NTP::NTP_Conn* interp;
+	
+};
+
+} } // namespace analyzer::* 
+
+#endif
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc
new file mode 100644
index 0000000000..2ff9d52d66
--- /dev/null
+++ b/src/analyzer/protocol/ntp/Plugin.cc
@@ -0,0 +1,25 @@
+// Generated by binpac_quickstart
+
+#include "plugin/Plugin.h"
+
+#include "NTP.h"
+
+namespace plugin {
+namespace Bro_NTP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("NTP",
+		             ::analyzer::NTP::NTP_Analyzer::InstantiateAnalyzer));
+
+		plugin::Configuration config;
+		config.name = "Bro::NTP";
+		config.description = "Network Time Protocol analyzer";
+		return config;
+		}
+} plugin;
+
+}
+}
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
new file mode 100644
index 0000000000..cb2388098c
--- /dev/null
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -0,0 +1,14 @@
+# Generated by binpac_quickstart
+
+# In this file, you'll define the events that your analyzer will
+# generate. A sample event is included.
+
+# ## TODO: Edit the sample event, and add more events.
+
+## Generated for NTP connections
+##
+## See `Google <http://lmgtfy.com/?q=NTP>`__ for more information about NTP
+##
+## c: The connection
+##
+event ntp_event%(c: connection%);
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
new file mode 100644
index 0000000000..d5fdc54594
--- /dev/null
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -0,0 +1,13 @@
+# Generated by binpac_quickstart
+
+refine flow NTP_Flow += {
+	function proc_ntp_message(msg: NTP_PDU): bool
+		%{
+		BifEvent::generate_ntp_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+		return true;
+		%}
+};
+
+refine typeattr NTP_PDU += &let {
+	proc: bool = $context.flow.proc_ntp_message(this);
+};
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
new file mode 100644
index 0000000000..7571d9f857
--- /dev/null
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -0,0 +1,19 @@
+# Generated by binpac_quickstart
+
+# ## TODO: Add your protocol structures in here.
+# ## some examples:
+
+# Types are your basic building blocks.
+# There are some builtins, or you can define your own.
+# Here's a definition for a regular expression:
+# type NTP_WHITESPACE = RE/[ \t]*/;
+
+# A record is a collection of types.
+# Here's one with the built-in types
+# type example = record {
+# 	
+# };
+
+type NTP_PDU(is_orig: bool) = record {
+	data: bytestring &restofdata;
+} &byteorder=bigendian;
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/ntp.pac b/src/analyzer/protocol/ntp/ntp.pac
new file mode 100644
index 0000000000..f1f4e7ed22
--- /dev/null
+++ b/src/analyzer/protocol/ntp/ntp.pac
@@ -0,0 +1,41 @@
+# Generated by binpac_quickstart
+
+# Analyzer for Network Time Protocol
+#  - ntp-protocol.pac: describes the NTP protocol messages
+#  - ntp-analyzer.pac: describes the NTP analyzer code
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+	#include "events.bif.h"
+%}
+
+analyzer NTP withcontext {
+	connection: NTP_Conn;
+	flow:       NTP_Flow;
+};
+
+# Our connection consists of two flows, one in each direction.
+connection NTP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow   = NTP_Flow(true);
+	downflow = NTP_Flow(false);
+};
+
+%include ntp-protocol.pac
+
+# Now we define the flow:
+flow NTP_Flow(is_orig: bool) {
+
+	# ## TODO: Determine if you want flowunit or datagram parsing:
+
+	# Using flowunit will cause the anlayzer to buffer incremental input.
+	# This is needed for &oneline and &length. If you don't need this, you'll
+	# get better performance with datagram.
+
+	# flowunit = NTP_PDU(is_orig) withcontext(connection, this);
+	datagram = NTP_PDU(is_orig) withcontext(connection, this);
+
+};
+
+%include ntp-analyzer.pac
\ No newline at end of file

From 2005a76896ba20637732db1f86911256ae5ef3ea Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Wed, 29 May 2019 09:37:55 -0500
Subject: [PATCH 10/91] WIP: BinPAC NTP analyzer

---
 scripts/base/init-bare.zeek                 |  49 ++
 scripts/base/protocols/ntp/__load__.zeek    |   2 +-
 scripts/base/protocols/ntp/consts.zeek      |  15 +
 scripts/base/protocols/ntp/main.zeek        | 122 +++--
 src/analyzer/protocol/ntp/CMakeLists.txt    |   3 +-
 src/analyzer/protocol/ntp/NTP.h             |   4 +-
 src/analyzer/protocol/ntp/events.bif        |  18 +-
 src/analyzer/protocol/ntp/ntp-analyzer.pac  |  98 +++-
 src/analyzer/protocol/ntp/ntp-protocol.pac  | 227 ++++++++-
 src/analyzer/protocol/ntp/ntp.pac           |  10 +-
 src/analyzer/protocol/ntp/types.bif         |   5 +
 testing/btest/Baseline/plugins.hooks/output | 497 +++++++++++---------
 12 files changed, 743 insertions(+), 307 deletions(-)
 create mode 100644 scripts/base/protocols/ntp/consts.zeek
 create mode 100644 src/analyzer/protocol/ntp/types.bif

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 3f469ab340..dfa00115cc 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -2526,6 +2526,55 @@ export {
 	};
 }
 
+module NTP;
+
+export {
+	## NTP message as defined in :rfc:`5905`.
+	## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
+	type NTP::Message: record {
+		## The NTP version number
+		version:            count;
+		## The NTP mode being used
+		mode:               count;
+		## The stratum (primary server, secondary server, etc.)
+		stratum:            count;
+		## The maximum interval between successive messages
+		poll:               interval;
+		## The precision of the system clock
+		precision:          interval;
+
+		## Total round-trip delay to the reference clock
+		root_delay:         interval;
+		## Total dispersion to the reference clock
+		root_disp:          interval;
+		## For stratum 0, 4 character string used for debugging
+		kiss_code:          string &optional;
+		## For stratum 1, ID assigned to the reference clock by IANA
+		ref_id:             string &optional;
+		## Above stratum 1, when using IPv4, the IP address of the reference clock
+		ref_addr:           addr &optional;
+
+		## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
+		## IPv6 address of the reference clock
+		ref_v6_hash_prefix: string &optional;
+		## Time when the system clock was last set or correct
+		ref_time:           time;
+		## Time at the client when the request departed for the NTP server
+		org_time:           time;
+		## Time at the server when the request arrived from the NTP client
+		rec_time:           time;
+		## Time at the server when the response departed for the NTP client
+		xmt_time:           time;
+		## Key used to designate a secret MD5 key
+		key_id:             count &optional;
+		## MD5 hash computed over the key followed by the NTP packet header and extension fields
+		digest:             string &optional;
+		## Number of extension fields (which are not currently parsed)
+		num_exts:           count &default=0;
+	};
+}
+
+
 module NTLM;
 
 export {
diff --git a/scripts/base/protocols/ntp/__load__.zeek b/scripts/base/protocols/ntp/__load__.zeek
index 9e43682d13..4ca8806d3b 100644
--- a/scripts/base/protocols/ntp/__load__.zeek
+++ b/scripts/base/protocols/ntp/__load__.zeek
@@ -1,3 +1,3 @@
 # Generated by binpac_quickstart
 @load ./main
-@load-sigs ./dpd.sig
\ No newline at end of file
+@load ./consts
\ No newline at end of file
diff --git a/scripts/base/protocols/ntp/consts.zeek b/scripts/base/protocols/ntp/consts.zeek
new file mode 100644
index 0000000000..8b6cec2e3d
--- /dev/null
+++ b/scripts/base/protocols/ntp/consts.zeek
@@ -0,0 +1,15 @@
+module NTP;
+
+export {
+	## The descriptions of the NTP mode value, as described
+	## in :rfc:`5905`, Figure 1
+	const modes: table[count] of string = {
+		[1] = "symmetric active",
+	 	[2] = "symmetric passive",
+		[3] = "client",
+		[4] = "server",
+		[5] = "broadcast server",
+		[6] = "broadcast client",
+		[7] = "reserved",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); } &redef;
+}
\ No newline at end of file
diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
index 74cfa44e77..b39547d6a6 100644
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -1,53 +1,119 @@
-##! Implements base functionality for NTP analysis.
-##! Generates the Ntp.log file.
+module NTP;
 
-# Generated by binpac_quickstart
-
-module Ntp;
+@load ./consts
 
 export {
 	redef enum Log::ID += { LOG };
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts:     time    &log;
+		ts:        time    &log;
 		## Unique ID for the connection.
-		uid:    string  &log;
+		uid:       string  &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:     conn_id &log;
-		
-		# ## TODO: Add other fields here that you'd like to log.
+		id:        conn_id &log;
+		## The version of NTP
+		ver:       count &log;
+		## The stratum (primary, secondary, etc.) of the server
+		stratum:   count &log &optional;
+		## The precision of the system clock of the client
+		precision: interval &log &optional;
+		## The time at the client that the request was sent to the server
+		org_time:   time &log &optional;
+		## The time at the server when the request was received
+		rec_time:   time &log &optional;
+		## The time at the server when the reply was sent
+		xmt_time:  time &log &optional;
+		## For stratum 0, 4 character string used for debugging
+		kiss_code: string &log &optional;
+		## For stratum 1, ID assigned to the clock by IANA
+		ref_id:    string &log &optional;
+		## The IP of the server's reference clock
+		ref_clock: addr &log &optional;
 	};
 
 	## Event that can be handled to access the NTP record as it is sent on
-	## to the loggin framework.
+	## to the logging framework.
 	global log_ntp: event(rec: Info);
 }
 
-# TODO: The recommended method to do dynamic protocol detection
-# (DPD) is with the signatures in dpd.sig. If you can't come up
-# with any signatures, then you can do port-based detection by
-# uncommenting the following and specifying the port(s):
+redef record connection += {
+	ntp: Info &optional;
+};
 
-# const ports = { 1234/udp, 5678/udp };
+const ports = { 123/udp };
 
+redef likely_server_ports += { ports };
 
-# redef likely_server_ports += { ports };
-
-event bro_init() &priority=5
+event zeek_init() &priority=5
 	{
-	Log::create_stream(Ntp::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
+	Log::create_stream(NTP::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
 
-	# TODO: If you're using port-based DPD, uncomment this.
-	# Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
 	}
 
-event ntp_event(c: connection)
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 	{
+	# Record initialization
 	local info: Info;
-	info$ts  = network_time();
-	info$uid = c$uid;
-	info$id  = c$id;
+	if ( c?$ntp )
+		info = c$ntp;
+	else
+		{
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+		info$ver = msg$version;
+		}
 
-	Log::write(Ntp::LOG, info);
-	}
\ No newline at end of file
+	# From the request, we get the desired precision
+	if ( is_orig )
+		{
+		info$precision = msg$precision;
+		c$ntp = info;
+		return;
+		}
+
+	# From the response, we fill out most of the rest of the fields.
+	info$stratum = msg$stratum;
+	info$org_time = msg$org_time;
+	info$rec_time = msg$rec_time;
+	info$xmt_time = msg$xmt_time;
+
+	# Stratum 1 has the textual reference ID
+	if ( msg$stratum == 1 )
+		info$ref_id = gsub(msg$ref_id, /\x00*/, "");
+
+	# Higher stratums using IPv4 have the address of the reference server.
+	if ( msg$stratum > 1 )
+		{
+		if ( is_v4_addr(c$id$orig_h) )
+			info$ref_clock = msg$ref_addr;
+		}
+	c$ntp = info;
+	}
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
+	{
+	if ( ! is_orig )
+		{
+		Log::write(NTP::LOG, c$ntp);
+		delete c$ntp;
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ntp )
+		Log::write(NTP::LOG, c$ntp);
+	}
+
+event ntp_mode6_message(c: connection, is_orig: bool, opcode: count)
+	{
+	print "Mode 6", opcode;
+	}
+
+event ntp_mode7_message(c: connection, is_orig: bool, opcode: count)
+	{
+	print "Mode 7", opcode;
+	}
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index b42e467af5..8d603f49f6 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -6,6 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro NTP)
 	bro_plugin_cc(NTP.cc Plugin.cc)
+	bro_plugin_bif(types.bif)
 	bro_plugin_bif(events.bif)
 	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-protocol.pac)
-bro_plugin_end()
\ No newline at end of file
+bro_plugin_end()
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index 8850addfd1..f7d9912131 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -4,7 +4,7 @@
 #define ANALYZER_PROTOCOL_NTP_NTP_H
 
 #include "events.bif.h"
-
+#include "types.bif.h"
 
 #include "analyzer/protocol/udp/UDP.h"
 
@@ -37,4 +37,4 @@ protected:
 
 } } // namespace analyzer::* 
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
index cb2388098c..4205b28efd 100644
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -1,14 +1,12 @@
-# Generated by binpac_quickstart
-
-# In this file, you'll define the events that your analyzer will
-# generate. A sample event is included.
-
-# ## TODO: Edit the sample event, and add more events.
-
-## Generated for NTP connections
+## Generated for NTP time synchronization messages
 ##
-## See `Google <http://lmgtfy.com/?q=NTP>`__ for more information about NTP
+## For more information about NTP, refer to :rfc:`5905`
 ##
 ## c: The connection
 ##
-event ntp_event%(c: connection%);
\ No newline at end of file
+## msg: The NTP message record
+##
+event ntp_message%(c: connection, is_orig: bool, msg: NTP::Message%);
+
+event ntp_mode6_message%(c: connection, is_orig: bool, opcode: count%);
+event ntp_mode7_message%(c: connection, is_orig: bool, opcode: count%);
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index d5fdc54594..d887dd4a25 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -1,13 +1,99 @@
-# Generated by binpac_quickstart
+%extern{
+#include <math.h>
+#define FRAC_16 pow(2,-16)
+#define FRAC_32 pow(2,-32)
+// NTP defines the epoch from 1900, not 1970
+#define EPOCH_OFFSET -2208988800
+%}
+
+%header{
+Val* proc_ntp_short(const NTP_Short_Time* t);
+Val* proc_ntp_timestamp(const NTP_Time* t);
+%}
+
+%code{
+Val* proc_ntp_short(const NTP_Short_Time* t)
+	{
+	if ( t->seconds() == 0 && t->fractions() == 0 )
+		return new Val(0.0, TYPE_INTERVAL);
+	return new Val(t->seconds() + t->fractions()*FRAC_16, TYPE_INTERVAL);
+	}
+
+Val* proc_ntp_timestamp(const NTP_Time* t)
+	{
+	if ( t->seconds() == 0 && t->fractions() == 0)
+		return new Val(0.0, TYPE_TIME);
+	return new Val(EPOCH_OFFSET + t->seconds() + (t->fractions()*FRAC_32), TYPE_TIME);
+	}
+%}
 
 refine flow NTP_Flow += {
-	function proc_ntp_message(msg: NTP_PDU): bool
+	function proc_ntp_association(msg: NTP_Association): bool
 		%{
-		BifEvent::generate_ntp_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
+		RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
+		rv->Assign(0, new Val(${msg.version}, TYPE_COUNT));
+		rv->Assign(1, new Val(${msg.mode}, TYPE_COUNT));
+		rv->Assign(2, new Val(${msg.stratum}, TYPE_COUNT));
+		rv->Assign(3, new Val(pow(2, ${msg.poll}), TYPE_INTERVAL));
+		rv->Assign(4, new Val(pow(2, ${msg.precision}), TYPE_INTERVAL));
+
+		rv->Assign(5, proc_ntp_short(${msg.root_delay}));
+		rv->Assign(6, proc_ntp_short(${msg.root_dispersion}));
+		switch ( ${msg.stratum} )
+			{
+			case 0:
+				// unknown stratum => kiss code
+				rv->Assign(7, bytestring_to_val(${msg.reference_id}));
+				break;
+			case 1:
+				// reference clock => ref clock string
+				rv->Assign(8, bytestring_to_val(${msg.reference_id}));
+				break;
+			default:
+				// TODO: Check for v4/v6
+				const uint8* d = ${msg.reference_id}.data();
+				rv->Assign(9, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+				break;
+			}
+
+		rv->Assign(11, proc_ntp_timestamp(${msg.reference_ts}));
+		rv->Assign(12, proc_ntp_timestamp(${msg.origin_ts}));
+		rv->Assign(13, proc_ntp_timestamp(${msg.receive_ts}));
+		rv->Assign(14, proc_ntp_timestamp(${msg.transmit_ts}));
+
+		rv->Assign(17, new Val((uint32) ${msg.extensions}->size(), TYPE_COUNT));
+
+		BifEvent::generate_ntp_message(connection()->bro_analyzer(),
+		                               connection()->bro_analyzer()->Conn(),
+		                               is_orig(), rv);
+		return true;
+		%}
+
+	function proc_ntp_mode6(msg: NTP_Mode6): bool
+		%{
+		BifEvent::generate_ntp_mode6_message(connection()->bro_analyzer(),
+		                                     connection()->bro_analyzer()->Conn(),
+		                                     is_orig(), ${msg.opcode});
+		return true;
+		%}
+
+	function proc_ntp_mode7(msg: NTP_Mode7): bool
+		%{
+		BifEvent::generate_ntp_mode7_message(connection()->bro_analyzer(),
+		                                     connection()->bro_analyzer()->Conn(),
+		                                     is_orig(), ${msg.request_code});
 		return true;
 		%}
 };
 
-refine typeattr NTP_PDU += &let {
-	proc: bool = $context.flow.proc_ntp_message(this);
-};
\ No newline at end of file
+refine typeattr NTP_Association += &let {
+	proc: bool = $context.flow.proc_ntp_association(this);
+};
+
+refine typeattr NTP_Mode6 += &let {
+	proc: bool = $context.flow.proc_ntp_mode6(this);
+};
+
+refine typeattr NTP_Mode7 += &let {
+	proc: bool = $context.flow.proc_ntp_mode7(this);
+};
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 7571d9f857..1b36974a0c 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -1,19 +1,210 @@
-# Generated by binpac_quickstart
-
-# ## TODO: Add your protocol structures in here.
-# ## some examples:
-
-# Types are your basic building blocks.
-# There are some builtins, or you can define your own.
-# Here's a definition for a regular expression:
-# type NTP_WHITESPACE = RE/[ \t]*/;
-
-# A record is a collection of types.
-# Here's one with the built-in types
-# type example = record {
-# 	
-# };
-
 type NTP_PDU(is_orig: bool) = record {
-	data: bytestring &restofdata;
-} &byteorder=bigendian;
\ No newline at end of file
+	first_byte : uint8;
+
+	# Modes 1-5 are standard NTP time sync
+	mode_chk_1 : case (mode>=1 && mode<=5) of {
+  		true  -> msg: NTP_Association(first_byte, mode, version);
+		false -> unk: empty;
+	} &requires(version);
+
+	mode_chk_2 : case (mode) of {
+		6 -> ctl_msg       : NTP_Mode6(first_byte, version) &restofdata;
+		7 -> mode_7        : NTP_Mode7(first_byte, version) &restofdata;
+		default -> unknown: bytestring &restofdata;
+	} &requires(version);
+
+} &let {
+	mode:    uint8 = (first_byte & 0x7);       # Bytes 6-8 of 8-byte value
+	version: uint8 = (first_byte & 0x38) >> 3; # Bytes 3-5 of 8-byte value
+} &byteorder=bigendian;
+
+type NTP_Association(first_byte: uint8, mode: uint8, version: uint8) = record {
+	stratum        : uint8;
+	poll           : int8;
+	precision      : int8;
+	
+	root_delay     : NTP_Short_Time;
+	root_dispersion: NTP_Short_Time;
+	reference_id   : bytestring &length=4;
+	reference_ts   : NTP_Time;
+	
+	origin_ts      : NTP_Time;
+	receive_ts     : NTP_Time;
+	transmit_ts    : NTP_Time;
+
+	extensions     : Extension_Field[] &until($input.length() <= 18);
+	have_mac       : case (offsetof(have_mac) < length) of {
+		true  -> mac : NTP_MAC;
+		false -> nil : empty;
+	} &requires(length);
+} &let {
+	leap:     bool  = (first_byte & 0xc0); # First 2 bytes of 8-byte value
+	leap_61:  bool  = (leap & 0x40) > 0;   # leap_indicator == 1
+	leap_59:  bool  = (leap & 0x80) > 0;   # leap_indicator == 2
+	leap_unk: bool  = (leap & 0xc0) > 0;   # leap_indicator == 3
+	length          = sourcedata.length();
+} &exportsourcedata;
+
+type NTP_MAC = record {
+	key_id: uint32;
+	digest: bytestring &length=16;
+} &length=18;
+
+type Extension_Field = record {
+	field_type: uint16;
+	length    : uint16;
+	data      : bytestring &length=length-4;
+};
+
+type NTP_Short_Time = record {
+	seconds:   int16;
+	fractions: int16;
+};
+
+type NTP_Time = record {
+	seconds:   uint32;
+	fractions: uint32;
+};
+
+
+# From RFC 1305, Appendix B:
+type NTP_Mode6(first_byte: uint8, version: uint8) = record {
+	rem_op  : uint8;
+	sequence: uint16;
+	status  : uint16;
+	assoc_id: uint16;
+	offset  : uint16;
+	count   : uint16;
+	data    : bytestring &length=count;
+	pad     : padding[pad_length];
+	opt_auth: bytestring &restofdata;
+} &let {
+	response_bit: bool = (rem_op & 0x80) > 0;
+	error_bit   : bool = (rem_op & 0x40) > 0;
+	more_bit    : bool = (rem_op & 0x20) > 0;
+	opcode      : uint8 = (rem_op & 0x1f);
+	pad_length  : uint8 = (count % 32 == 0) ? 0 : 32 - (count % 32);
+};
+
+
+# From ntp/include/ntp_request.h of the ntp-project:
+#
+# A mode 7 packet is used exchanging data between an NTP server
+# and a client for purposes other than time synchronization, e.g.
+# monitoring, statistics gathering and configuration.  A mode 7
+# packet has the following format:
+#
+#    0                   1                   2                   3
+#    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code    |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |  Err  | Number of data items  |  MBZ  |   Size of data item   |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |                                                               |
+#   |            Data (Minimum 0 octets, maximum 500 octets)        |
+#   |                                                               |
+#                            [...]
+#   |                                                               |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |               Encryption Keyid (when A bit set)               |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |                                                               |
+#   |          Message Authentication Code (when A bit set)         |
+#   |                                                               |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#
+# where the fields are (note that the client sends requests, the server
+# responses):
+#
+# Response Bit:  This packet is a response (if clear, packet is a request).
+#
+# More Bit:	Set for all packets but the last in a response which
+#		requires more than one packet.
+#
+# Version Number: 2 for current version
+#
+# Mode:	Always 7
+#
+# Authenticated bit: If set, this packet is authenticated.
+#
+# Sequence number: For a multipacket response, contains the sequence
+#		number of this packet.  0 is the first in the sequence,
+#		127 (or less) is the last.  The More Bit must be set in
+#		all packets but the last.
+#
+# Implementation number: The number of the implementation this request code
+#		is defined by.  An implementation number of zero is used
+#		for requst codes/data formats which all implementations
+#		agree on.  Implementation number 255 is reserved (for
+#		extensions, in case we run out).
+#
+# Request code: An implementation-specific code which specifies the
+#		operation to be (which has been) performed and/or the
+#		format and semantics of the data included in the packet.
+#
+# Err:		Must be 0 for a request.  For a response, holds an error
+#		code relating to the request.  If nonzero, the operation
+#		requested wasn't performed.
+#
+#		0 - no error
+#		1 - incompatible implementation number
+#		2 - unimplemented request code
+#		3 - format error (wrong data items, data size, packet size etc.)
+#		4 - no data available (e.g. request for details on unknown peer)
+#		5-6 I don't know
+#		7 - authentication failure (i.e. permission denied)
+#
+# Number of data items: number of data items in packet.  0 to 500
+#
+# MBZ:		A reserved data field, must be zero in requests and responses.
+#
+# Size of data item: size of each data item in packet.  0 to 500
+#
+# Data:	Variable sized area containing request/response data.  For
+#		requests and responses the size in octets must be greater
+#		than or equal to the product of the number of data items
+#		and the size of a data item.  For requests the data area
+#		must be exactly 40 octets in length.  For responses the
+#		data area may be any length between 0 and 500 octets
+#		inclusive.
+#
+# Message Authentication Code: Same as NTP spec, in definition and function.
+#		May optionally be included in requests which require
+#		authentication, is never included in responses.
+#
+# The version number, mode and keyid have the same function and are
+# in the same location as a standard NTP packet.  The request packet
+# is the same size as a standard NTP packet to ease receive buffer
+# management, and to allow the same encryption procedure to be used
+# both on mode 7 and standard NTP packets.  The mac is included when
+# it is required that a request be authenticated, the keyid should be
+# zero in requests in which the mac is not included.
+#
+# The data format depends on the implementation number/request code pair
+# and whether the packet is a request or a response.  The only requirement
+# is that data items start in the octet immediately following the size
+# word and that data items be concatenated without padding between (i.e.
+# if the data area is larger than data_items*size, all padding is at
+# the end).  Padding is ignored, other than for encryption purposes.
+# Implementations using encryption might want to include a time stamp
+# or other data in the request packet padding.  The key used for requests
+# is implementation defined, but key 15 is suggested as a default.
+#
+type NTP_Mode7(first_byte: uint8, version: uint8) = record {
+	second_byte       : uint8;
+	implementation_num: uint8;
+	request_code      : uint8;
+	err_and_data_len  : uint16;
+	data              : bytestring &length=data_len;
+	have_mac          : case(auth_bit) of {
+		true  -> mac: NTP_MAC;
+		false -> nil: empty;
+	};
+} &let {
+	auth_bit  : bool  = (second_byte & 0x80) > 0;
+	sequence  : uint8 = (second_byte & 0x7F);
+	error_code: uint8 = (err_and_data_len & 0xF000) >> 12;
+	data_len  : uint16 = (err_and_data_len & 0x0FFF);
+};
+
diff --git a/src/analyzer/protocol/ntp/ntp.pac b/src/analyzer/protocol/ntp/ntp.pac
index f1f4e7ed22..5ec3957078 100644
--- a/src/analyzer/protocol/ntp/ntp.pac
+++ b/src/analyzer/protocol/ntp/ntp.pac
@@ -9,6 +9,7 @@
 
 %extern{
 	#include "events.bif.h"
+	#include "types.bif.h"
 %}
 
 analyzer NTP withcontext {
@@ -26,16 +27,7 @@ connection NTP_Conn(bro_analyzer: BroAnalyzer) {
 
 # Now we define the flow:
 flow NTP_Flow(is_orig: bool) {
-
-	# ## TODO: Determine if you want flowunit or datagram parsing:
-
-	# Using flowunit will cause the anlayzer to buffer incremental input.
-	# This is needed for &oneline and &length. If you don't need this, you'll
-	# get better performance with datagram.
-
-	# flowunit = NTP_PDU(is_orig) withcontext(connection, this);
 	datagram = NTP_PDU(is_orig) withcontext(connection, this);
-
 };
 
 %include ntp-analyzer.pac
\ No newline at end of file
diff --git a/src/analyzer/protocol/ntp/types.bif b/src/analyzer/protocol/ntp/types.bif
new file mode 100644
index 0000000000..1a5fd07faa
--- /dev/null
+++ b/src/analyzer/protocol/ntp/types.bif
@@ -0,0 +1,5 @@
+module NTP;
+
+type NTP::Message: record;
+
+module GLOBAL;
\ No newline at end of file
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 950b898ab1..acd598becc 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -37,6 +37,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
@@ -103,6 +104,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
@@ -145,6 +147,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_MYSQL, {1434<...>/tcp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_NTP, {123/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp})) -> <no result>
@@ -202,6 +205,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -248,6 +252,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
@@ -277,7 +282,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -295,6 +300,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (KRB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NTLM::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NTP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::CATCH_RELEASE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG)) -> <no result>
@@ -341,6 +347,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -387,6 +394,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NTP::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default)) -> <no result>
@@ -433,6 +441,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])) -> <no result>
@@ -462,7 +471,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -624,6 +633,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek) -> -1
@@ -845,6 +855,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/notice) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ntp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/numbers.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/openflow) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/option.bif.zeek) -> -1
@@ -940,6 +951,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
@@ -1006,6 +1018,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
@@ -1048,6 +1061,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_MYSQL, {1434<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_NTP, {123/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp}))
@@ -1105,6 +1119,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1151,6 +1166,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol]))
@@ -1180,7 +1196,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1198,6 +1214,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (KRB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Modbus::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NTLM::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NTP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::CATCH_RELEASE))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::DROP))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::LOG))
@@ -1244,6 +1261,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1290,6 +1308,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NTP::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default))
@@ -1336,6 +1355,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol]))
@@ -1365,7 +1385,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1527,6 +1547,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek)
@@ -1748,6 +1769,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol)
 0.000000   MetaHookPre   LoadFile(0, base<...>/notice)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ntp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/numbers.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/openflow)
 0.000000   MetaHookPre   LoadFile(0, base<...>/option.bif.zeek)
@@ -1843,6 +1865,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MYSQL, 1434/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MYSQL, 3306/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_NTP, 123/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
@@ -1909,6 +1932,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_MYSQL, 1434/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_MYSQL, 3306/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_NTP, 123/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
@@ -1951,6 +1975,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, {88/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, {502/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, {1434<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, {123/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, {1812/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, {3389/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, {5060/udp})
@@ -2007,6 +2032,7 @@
 0.000000 | HookCallFunction Log::__add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_catch_release, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -2053,6 +2079,7 @@
 0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm])
+0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
 0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])
@@ -2082,7 +2109,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2100,6 +2127,7 @@
 0.000000 | HookCallFunction Log::add_default_filter(KRB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(NTLM::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(NTP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::CATCH_RELEASE)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::DROP)
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::LOG)
@@ -2146,6 +2174,7 @@
 0.000000 | HookCallFunction Log::add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(NTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::CATCH_RELEASE, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::DROP, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -2192,6 +2221,7 @@
 0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NTP::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
 0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
 0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
@@ -2238,6 +2268,7 @@
 0.000000 | HookCallFunction Log::create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos])
 0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus])
 0.000000 | HookCallFunction Log::create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm])
+0.000000 | HookCallFunction Log::create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp])
 0.000000 | HookCallFunction Log::create_stream(NetControl::CATCH_RELEASE, [columns=NetControl::CatchReleaseInfo, ev=NetControl::log_netcontrol_catch_release, path=netcontrol_catch_release])
 0.000000 | HookCallFunction Log::create_stream(NetControl::DROP, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop])
 0.000000 | HookCallFunction Log::create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol])
@@ -2267,7 +2298,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2429,6 +2460,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_NTLM.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Bro_NTLM.types.bif.zeek
 0.000000 | HookLoadFile  .<...>/Bro_NTP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Bro_NTP.types.bif.zeek
 0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.functions.bif.zeek
 0.000000 | HookLoadFile  .<...>/Bro_NoneWriter.none.bif.zeek
@@ -2659,6 +2691,7 @@
 0.000000 | HookLoadFile  base<...>/netcontrol
 0.000000 | HookLoadFile  base<...>/notice
 0.000000 | HookLoadFile  base<...>/ntlm
+0.000000 | HookLoadFile  base<...>/ntp
 0.000000 | HookLoadFile  base<...>/numbers.zeek
 0.000000 | HookLoadFile  base<...>/openflow
 0.000000 | HookLoadFile  base<...>/option.bif.zeek
@@ -2702,7 +2735,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1559140567.483887, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()
@@ -2711,11 +2744,11 @@
 1362692526.869344   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
@@ -2723,11 +2756,11 @@
 1362692526.869344   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
@@ -2736,28 +2769,28 @@
 1362692526.869344 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
 1362692526.869344 | HookCallFunction filter_change_tracking()
 1362692526.869344 | HookCallFunction get_net_stats()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookDrainEvents
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
-1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
 1362692526.939084   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
-1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
 1362692526.939084 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939378   MetaHookPost  DrainEvents() -> <void>
 1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
 1362692526.939378   MetaHookPre   DrainEvents()
@@ -2766,118 +2799,118 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, <...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
 1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
-1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
 1362692527.008509   MetaHookPre   DrainEvents()
@@ -2886,142 +2919,142 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -3037,8 +3070,8 @@
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
@@ -3047,9 +3080,9 @@
 1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
@@ -3059,15 +3092,15 @@
 1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
 1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
@@ -3076,9 +3109,9 @@
 1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
@@ -3088,16 +3121,16 @@
 1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
 1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
@@ -3106,9 +3139,9 @@
 1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
@@ -3118,9 +3151,9 @@
 1362692527.009775 | HookLogWrite  http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain]
 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009855   MetaHookPost  DrainEvents() -> <void>
 1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
 1362692527.009855   MetaHookPre   DrainEvents()
@@ -3146,19 +3179,19 @@
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
 1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, <frame>, (80/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
@@ -3173,25 +3206,25 @@
 1362692527.080972   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> <void>
 1362692527.080972   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  QueueEvent(zeek_done()) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
 1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, <frame>, (80/tcp))
 1362692527.080972   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
@@ -3206,26 +3239,26 @@
 1362692527.080972   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])})
 1362692527.080972   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   QueueEvent(zeek_done())
 1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
 1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
 1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction filter_change_tracking()
 1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction get_net_stats()
 1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
 1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
@@ -3240,7 +3273,7 @@
 1362692527.080972 | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
 1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookQueueEvent zeek_done()

From 1ce0fcce49b49cd221b60443b3b1888c277c7367 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 29 May 2019 15:56:37 -0700
Subject: [PATCH 11/91] GH-387: update Broker topic names to use "zeek/" prefix

---
 NEWS                                          |  33 ++++
 doc                                           |   2 +-
 scripts/base/frameworks/broker/main.zeek      |   2 +-
 scripts/base/frameworks/cluster/main.zeek     |  14 +-
 scripts/base/frameworks/cluster/pools.zeek    |   6 +-
 .../policy/protocols/conn/known-hosts.zeek    |   2 +-
 .../policy/protocols/conn/known-services.zeek |   2 +-
 scripts/policy/protocols/ssl/known-certs.zeek |   2 +-
 src/broker/Manager.cc                         |   9 ++
 testing/btest/Baseline/plugins.hooks/output   |  32 ++--
 .../manager-1..stdout                         | 144 +++++++++---------
 .../manager-1..stdout                         | 144 +++++++++---------
 .../manager-1..stdout                         |  96 ++++++------
 .../send.netcontrol.log                       |  28 ++--
 .../send.netcontrol.log                       |  18 +--
 testing/btest/broker/connect-on-retry.zeek    |   8 +-
 testing/btest/broker/disconnect.zeek          |   4 +-
 testing/btest/broker/error.zeek               |   4 +-
 testing/btest/broker/remote_event.zeek        |   8 +-
 testing/btest/broker/remote_event_any.zeek    |  10 +-
 testing/btest/broker/remote_event_auto.zeek   |   8 +-
 .../btest/broker/remote_event_ssl_auth.zeek   |   8 +-
 testing/btest/broker/remote_id.zeek           |   4 +-
 testing/btest/broker/remote_log.zeek          |   2 +-
 .../btest/broker/remote_log_late_join.zeek    |   2 +-
 testing/btest/broker/remote_log_types.zeek    |   4 +-
 testing/btest/broker/ssl_auth_failure.zeek    |   2 +-
 testing/btest/broker/store/clone.zeek         |   8 +-
 testing/btest/broker/unpeer.zeek              |   6 +-
 .../cluster/custom_pool_exclusivity.zeek      |   4 +-
 .../cluster/custom_pool_limits.zeek           |   4 +-
 .../base/frameworks/netcontrol/acld-hook.zeek |   8 +-
 .../base/frameworks/netcontrol/acld.zeek      |  12 +-
 .../base/frameworks/netcontrol/broker.zeek    |  12 +-
 .../frameworks/openflow/broker-basic.zeek     |   8 +-
 35 files changed, 351 insertions(+), 309 deletions(-)

diff --git a/NEWS b/NEWS
index 4de34ba8e8..e3a052d910 100644
--- a/NEWS
+++ b/NEWS
@@ -216,6 +216,39 @@ Changed Functionality
   in scripts has also been updated to replace Sphinx cross-referencing roles
   and directives like ":bro:see:" with ":zeek:zee:".
 
+- Any Broker topic names used in scripts shipped with Zeek that
+  previously were prefixed with "bro/" are now prefixed with "zeek/"
+  instead.
+
+  In the case where external applications were using a "bro/" topic
+  to send data into a Bro process, a Zeek process still subscribes
+  to those topics in addition to the equivalently named "zeek/" topic.
+
+  In the case where external applications were using a "bro/" topic
+  to subscribe to remote messages or query data stores, there's no
+  backwards compatibility and external applications must be changed
+  to use the new "zeek/" topic.  The thought is this change will have
+  low impact since most data published under "bro/" topic names is
+  intended for use only as a detail of implementing cluster-enabled
+  versions of various scripts.
+
+  A list of the most relevant/common topic names that could potentially
+  be used in external applications to consume/query remote data that
+  one may need to change:
+
+  - store names
+    - bro/known/services
+    - bro/known/hosts
+    - bro/known/certs
+
+  - cluster nodes
+    - bro/cluster/<node type>
+    - bro/cluster/node/<name>
+    - bro/cluster/nodeid/<id>
+
+  - logging
+    - bro/logs/<stream>
+
 Removed Functionality
 ---------------------
 
diff --git a/doc b/doc
index 4415d43650..d20052b8f5 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 4415d43650f0dd2039f639c814a95d10deac8422
+Subproject commit d20052b8f5f708ad114a6e46c20f6f05c98236be
diff --git a/scripts/base/frameworks/broker/main.zeek b/scripts/base/frameworks/broker/main.zeek
index 458b51050e..2b43c3fd2b 100644
--- a/scripts/base/frameworks/broker/main.zeek
+++ b/scripts/base/frameworks/broker/main.zeek
@@ -113,7 +113,7 @@ export {
 
 	## The default topic prefix where logs will be published.  The log's stream
 	## id is appended when writing to a particular stream.
-	const default_log_topic_prefix = "bro/logs/" &redef;
+	const default_log_topic_prefix = "zeek/logs/" &redef;
 
 	## The default implementation for :zeek:see:`Broker::log_topic`.
 	function default_log_topic(id: Log::ID, path: string): string
diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek
index 8693b56397..9040c663e1 100644
--- a/scripts/base/frameworks/cluster/main.zeek
+++ b/scripts/base/frameworks/cluster/main.zeek
@@ -17,31 +17,31 @@ export {
 
 	## The topic name used for exchanging messages that are relevant to
 	## logger nodes in a cluster.  Used with broker-enabled cluster communication.
-	const logger_topic = "bro/cluster/logger" &redef;
+	const logger_topic = "zeek/cluster/logger" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## manager nodes in a cluster.  Used with broker-enabled cluster communication.
-	const manager_topic = "bro/cluster/manager" &redef;
+	const manager_topic = "zeek/cluster/manager" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## proxy nodes in a cluster.  Used with broker-enabled cluster communication.
-	const proxy_topic = "bro/cluster/proxy" &redef;
+	const proxy_topic = "zeek/cluster/proxy" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## worker nodes in a cluster.  Used with broker-enabled cluster communication.
-	const worker_topic = "bro/cluster/worker" &redef;
+	const worker_topic = "zeek/cluster/worker" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## time machine nodes in a cluster.  Used with broker-enabled cluster communication.
-	const time_machine_topic = "bro/cluster/time_machine" &redef;
+	const time_machine_topic = "zeek/cluster/time_machine" &redef;
 
 	## The topic prefix used for exchanging messages that are relevant to
 	## a named node in a cluster.  Used with broker-enabled cluster communication.
-	const node_topic_prefix = "bro/cluster/node/" &redef;
+	const node_topic_prefix = "zeek/cluster/node/" &redef;
 
 	## The topic prefix used for exchanging messages that are relevant to
 	## a unique node in a cluster.  Used with broker-enabled cluster communication.
-	const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef;
+	const nodeid_topic_prefix = "zeek/cluster/nodeid/" &redef;
 
 	## Name of the node on which master data stores will be created if no other
 	## has already been specified by the user in :zeek:see:`Cluster::stores`.
diff --git a/scripts/base/frameworks/cluster/pools.zeek b/scripts/base/frameworks/cluster/pools.zeek
index 787d3aa0e0..9c21c3188d 100644
--- a/scripts/base/frameworks/cluster/pools.zeek
+++ b/scripts/base/frameworks/cluster/pools.zeek
@@ -60,17 +60,17 @@ export {
 
 	## The specification for :zeek:see:`Cluster::proxy_pool`.
 	global proxy_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/proxy",
+		PoolSpec($topic = "zeek/cluster/pool/proxy",
 				 $node_type = Cluster::PROXY) &redef;
 
 	## The specification for :zeek:see:`Cluster::worker_pool`.
 	global worker_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/worker",
+		PoolSpec($topic = "zeek/cluster/pool/worker",
 				 $node_type = Cluster::WORKER) &redef;
 
 	## The specification for :zeek:see:`Cluster::logger_pool`.
 	global logger_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/logger",
+		PoolSpec($topic = "zeek/cluster/pool/logger",
 				 $node_type = Cluster::LOGGER) &redef;
 
 	## A pool containing all the proxy nodes of a cluster.
diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek
index 19bf2cef05..8a3383e1b2 100644
--- a/scripts/policy/protocols/conn/known-hosts.zeek
+++ b/scripts/policy/protocols/conn/known-hosts.zeek
@@ -36,7 +36,7 @@ export {
 	global host_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::host_store`.
-	const host_store_name = "bro/known/hosts" &redef;
+	const host_store_name = "zeek/known/hosts" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::host_store`.
 	## This also changes the interval at which hosts get logged.
diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek
index fc8c3e806e..24774586dc 100644
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@@ -48,7 +48,7 @@ export {
 	global service_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::service_store`.
-	const service_store_name = "bro/known/services" &redef;
+	const service_store_name = "zeek/known/services" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::service_store`.
 	## This also changes the interval at which services get logged.
diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek
index 9830ad0ed5..f6aec6267d 100644
--- a/scripts/policy/protocols/ssl/known-certs.zeek
+++ b/scripts/policy/protocols/ssl/known-certs.zeek
@@ -48,7 +48,7 @@ export {
 	global cert_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::cert_store`.
-	const cert_store_name = "bro/known/certs" &redef;
+	const cert_store_name = "zeek/known/certs" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::cert_store`.
 	## This also changes the interval at which certs get logged.
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index f5e374e239..2cf0f8e3f2 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -772,6 +772,15 @@ bool Manager::Subscribe(const string& topic_prefix)
 	{
 	DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str());
 	bstate->subscriber.add_topic(topic_prefix, ! after_zeek_init);
+
+	// For backward compatibility, we also may receive messages on
+	// "bro/" topic prefixes in addition to "zeek/".
+	if ( strncmp(topic_prefix.data(), "zeek/", 5) == 0 )
+		{
+		std::string alt_topic = "bro/" + topic_prefix.substr(5);
+		bstate->subscriber.add_topic(std::move(alt_topic), ! after_zeek_init);
+		}
+
 	return true;
 	}
 
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 950b898ab1..c5f1516016 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -161,9 +161,9 @@
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::local_node_type, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
@@ -277,7 +277,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -462,7 +462,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -1064,9 +1064,9 @@
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::local_node_type, <null>, ())
-0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F]))
-0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]))
-0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=zeek<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F]))
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
@@ -1180,7 +1180,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1365,7 +1365,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1966,9 +1966,9 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Cluster::local_node_type()
-0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])
-0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])
-0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=zeek<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=zeek<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=zeek<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
@@ -2082,7 +2082,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2267,7 +2267,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2702,7 +2702,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1555986109.036092, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1559169206.982011, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
index f5b2222839..788b3699dd 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
@@ -1,101 +1,101 @@
 1st stuff
-hrw, 0, bro/cluster/node/proxy-1
-hrw (custom pool), 0, bro/cluster/node/proxy-2
-hrw, 1, bro/cluster/node/proxy-1
-hrw (custom pool), 1, bro/cluster/node/proxy-2
-hrw, 2, bro/cluster/node/proxy-1
-hrw (custom pool), 2, bro/cluster/node/proxy-2
-hrw, 3, bro/cluster/node/proxy-1
-hrw (custom pool), 3, bro/cluster/node/proxy-2
-hrw, 13, bro/cluster/node/proxy-1
-hrw (custom pool), 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-1
-hrw (custom pool), 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-1
-hrw (custom pool), 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-1
-hrw (custom pool), 101, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-hrw, 0, bro/cluster/node/proxy-1
-hrw (custom pool), 0, bro/cluster/node/proxy-2
-hrw, 1, bro/cluster/node/proxy-1
-hrw (custom pool), 1, bro/cluster/node/proxy-2
-hrw, 2, bro/cluster/node/proxy-1
-hrw (custom pool), 2, bro/cluster/node/proxy-2
-hrw, 3, bro/cluster/node/proxy-1
-hrw (custom pool), 3, bro/cluster/node/proxy-2
-hrw, 13, bro/cluster/node/proxy-1
-hrw (custom pool), 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-1
-hrw (custom pool), 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-1
-hrw (custom pool), 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-1
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
+hrw, 1, zeek/cluster/node/proxy-1
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
+hrw, 2, zeek/cluster/node/proxy-1
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
+hrw, 3, zeek/cluster/node/proxy-1
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
+hrw, 13, zeek/cluster/node/proxy-1
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-1
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-1
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-1
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
+hrw, 1, zeek/cluster/node/proxy-1
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
+hrw, 2, zeek/cluster/node/proxy-1
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
+hrw, 3, zeek/cluster/node/proxy-1
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
+hrw, 13, zeek/cluster/node/proxy-1
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-1
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-1
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-1
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 2nd stuff
 hrw, 0, 
-hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
 hrw, 1, 
-hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
 hrw, 2, 
-hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
 hrw, 3, 
-hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
 hrw, 13, 
-hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
 hrw, 37, 
-hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
 hrw, 42, 
-hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
 hrw, 101, 
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 hrw, 0, 
-hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
 hrw, 1, 
-hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
 hrw, 2, 
-hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
 hrw, 3, 
-hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
 hrw, 13, 
-hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
 hrw, 37, 
-hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
 hrw, 42, 
-hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
 hrw, 101, 
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 no stuff
 hrw, 0, 
 hrw (custom pool), 0, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
index 977abbf9e9..310df794f0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
@@ -1,101 +1,101 @@
 1st stuff
-hrw, 0, bro/cluster/node/proxy-1
-hrw (custom pool), 0, bro/cluster/node/proxy-1
-hrw, 1, bro/cluster/node/proxy-1
-hrw (custom pool), 1, bro/cluster/node/proxy-1
-hrw, 2, bro/cluster/node/proxy-1
-hrw (custom pool), 2, bro/cluster/node/proxy-1
-hrw, 3, bro/cluster/node/proxy-1
-hrw (custom pool), 3, bro/cluster/node/proxy-1
-hrw, 13, bro/cluster/node/proxy-1
-hrw (custom pool), 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-1
-hrw (custom pool), 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-1
-hrw (custom pool), 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-1
-hrw (custom pool), 101, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-1
-rr (custom pool), bro/cluster/node/proxy-2
-hrw, 0, bro/cluster/node/proxy-1
-hrw (custom pool), 0, bro/cluster/node/proxy-1
-hrw, 1, bro/cluster/node/proxy-1
-hrw (custom pool), 1, bro/cluster/node/proxy-1
-hrw, 2, bro/cluster/node/proxy-1
-hrw (custom pool), 2, bro/cluster/node/proxy-1
-hrw, 3, bro/cluster/node/proxy-1
-hrw (custom pool), 3, bro/cluster/node/proxy-1
-hrw, 13, bro/cluster/node/proxy-1
-hrw (custom pool), 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-1
-hrw (custom pool), 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-1
-hrw (custom pool), 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-1
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw (custom pool), 0, zeek/cluster/node/proxy-1
+hrw, 1, zeek/cluster/node/proxy-1
+hrw (custom pool), 1, zeek/cluster/node/proxy-1
+hrw, 2, zeek/cluster/node/proxy-1
+hrw (custom pool), 2, zeek/cluster/node/proxy-1
+hrw, 3, zeek/cluster/node/proxy-1
+hrw (custom pool), 3, zeek/cluster/node/proxy-1
+hrw, 13, zeek/cluster/node/proxy-1
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-1
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-1
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-1
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-1
+rr (custom pool), zeek/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw (custom pool), 0, zeek/cluster/node/proxy-1
+hrw, 1, zeek/cluster/node/proxy-1
+hrw (custom pool), 1, zeek/cluster/node/proxy-1
+hrw, 2, zeek/cluster/node/proxy-1
+hrw (custom pool), 2, zeek/cluster/node/proxy-1
+hrw, 3, zeek/cluster/node/proxy-1
+hrw (custom pool), 3, zeek/cluster/node/proxy-1
+hrw, 13, zeek/cluster/node/proxy-1
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-1
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-1
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-1
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 2nd stuff
 hrw, 0, 
-hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
 hrw, 1, 
-hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
 hrw, 2, 
-hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
 hrw, 3, 
-hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
 hrw, 13, 
-hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
 hrw, 37, 
-hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
 hrw, 42, 
-hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
 hrw, 101, 
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 rr, 
-rr (custom pool), bro/cluster/node/proxy-2
+rr (custom pool), zeek/cluster/node/proxy-2
 hrw, 0, 
-hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw (custom pool), 0, zeek/cluster/node/proxy-2
 hrw, 1, 
-hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw (custom pool), 1, zeek/cluster/node/proxy-2
 hrw, 2, 
-hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw (custom pool), 2, zeek/cluster/node/proxy-2
 hrw, 3, 
-hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw (custom pool), 3, zeek/cluster/node/proxy-2
 hrw, 13, 
-hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw (custom pool), 13, zeek/cluster/node/proxy-2
 hrw, 37, 
-hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw (custom pool), 37, zeek/cluster/node/proxy-2
 hrw, 42, 
-hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw (custom pool), 42, zeek/cluster/node/proxy-2
 hrw, 101, 
-hrw (custom pool), 101, bro/cluster/node/proxy-2
+hrw (custom pool), 101, zeek/cluster/node/proxy-2
 no stuff
 hrw, 0, 
 hrw (custom pool), 0, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
index 2c99f08ef2..3b5dd7bad4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
@@ -1,53 +1,53 @@
 1st stuff
-hrw, 0, bro/cluster/node/proxy-1
-hrw, 1, bro/cluster/node/proxy-1
-hrw, 2, bro/cluster/node/proxy-1
-hrw, 3, bro/cluster/node/proxy-1
-hrw, 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-1
-rr, bro/cluster/node/proxy-2
-hrw, 0, bro/cluster/node/proxy-1
-hrw, 1, bro/cluster/node/proxy-1
-hrw, 2, bro/cluster/node/proxy-1
-hrw, 3, bro/cluster/node/proxy-1
-hrw, 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw, 1, zeek/cluster/node/proxy-1
+hrw, 2, zeek/cluster/node/proxy-1
+hrw, 3, zeek/cluster/node/proxy-1
+hrw, 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-1
+rr, zeek/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-1
+hrw, 1, zeek/cluster/node/proxy-1
+hrw, 2, zeek/cluster/node/proxy-1
+hrw, 3, zeek/cluster/node/proxy-1
+hrw, 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-2
 2nd stuff
-hrw, 0, bro/cluster/node/proxy-2
-hrw, 1, bro/cluster/node/proxy-2
-hrw, 2, bro/cluster/node/proxy-2
-hrw, 3, bro/cluster/node/proxy-2
-hrw, 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-rr, bro/cluster/node/proxy-2
-hrw, 0, bro/cluster/node/proxy-2
-hrw, 1, bro/cluster/node/proxy-2
-hrw, 2, bro/cluster/node/proxy-2
-hrw, 3, bro/cluster/node/proxy-2
-hrw, 13, bro/cluster/node/proxy-2
-hrw, 37, bro/cluster/node/proxy-2
-hrw, 42, bro/cluster/node/proxy-2
-hrw, 101, bro/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-2
+hrw, 1, zeek/cluster/node/proxy-2
+hrw, 2, zeek/cluster/node/proxy-2
+hrw, 3, zeek/cluster/node/proxy-2
+hrw, 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+rr, zeek/cluster/node/proxy-2
+hrw, 0, zeek/cluster/node/proxy-2
+hrw, 1, zeek/cluster/node/proxy-2
+hrw, 2, zeek/cluster/node/proxy-2
+hrw, 3, zeek/cluster/node/proxy-2
+hrw, 13, zeek/cluster/node/proxy-2
+hrw, 37, zeek/cluster/node/proxy-2
+hrw, 42, zeek/cluster/node/proxy-2
+hrw, 101, zeek/cluster/node/proxy-2
 no stuff
 hrw, 0, 
 hrw, 1, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
index 6170cb6ce0..6ac98821e4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
@@ -6,20 +6,20 @@
 #open	2017-04-07-17-26-05
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
-0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-bro/event/netcontroltest
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-zeek/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-zeek/event/netcontroltest
 1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1491585965.027155	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1491585965.027155	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1491585965.027155	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1491585965.027706	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1491585965.027706	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1491585965.027706	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1491585965.027706	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
-1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1491585965.027706	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027155	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-zeek/event/netcontroltest
+1491585965.027155	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-zeek/event/netcontroltest
+1491585965.027155	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-zeek/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-zeek/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-zeek/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-zeek/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-zeek/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-zeek/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-zeek/event/netcontroltest
+1491585965.027706	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-zeek/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-zeek/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-zeek/event/netcontroltest
 #close	2017-04-07-17-26-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
index fccd9f61f7..96edf66410 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.netcontrol.log
@@ -6,15 +6,15 @@
 #open	2016-08-05-17-34-55
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
-0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Broker-bro/event/netcontroltest
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Broker-zeek/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1470418495.661396	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Broker-bro/event/netcontroltest
+1470418495.661396	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Broker-zeek/event/netcontroltest
 1470418495.661396	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1470418496.045332	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045332	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045364	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045364	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045364	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045364	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	removing	0	36000.000000	-	Broker-bro/event/netcontroltest
-1470418496.045364	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-bro/event/netcontroltest
+1470418496.045332	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045332	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045364	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045364	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::MONITOR	NetControl::FLOW	10.10.1.4/32/1470->74.53.140.153/32/25	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045364	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045364	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	removing	0	36000.000000	-	Broker-zeek/event/netcontroltest
+1470418496.045364	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	10.10.1.4/32	-	-	0	36000.000000	-	Broker-zeek/event/netcontroltest
 #close	2016-08-05-17-34-56
diff --git a/testing/btest/broker/connect-on-retry.zeek b/testing/btest/broker/connect-on-retry.zeek
index 55e98cb27d..c8fc7b26e5 100644
--- a/testing/btest/broker/connect-on-retry.zeek
+++ b/testing/btest/broker/connect-on-retry.zeek
@@ -18,8 +18,8 @@ global ping: event(msg: string, c: count);
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
-    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::subscribe("zeek/event/my_topic");
+    Broker::auto_publish("zeek/event/my_topic", ping);
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     }
 
@@ -67,8 +67,8 @@ event delayed_listen()
 
 event zeek_init()
         {
-        Broker::subscribe("bro/event/my_topic");
-	Broker::auto_publish("bro/event/my_topic", pong);
+        Broker::subscribe("zeek/event/my_topic");
+        Broker::auto_publish("zeek/event/my_topic", pong);
 	schedule 5secs { delayed_listen() };
         }
 
diff --git a/testing/btest/broker/disconnect.zeek b/testing/btest/broker/disconnect.zeek
index c5ad155193..500a737ee2 100644
--- a/testing/btest/broker/disconnect.zeek
+++ b/testing/btest/broker/disconnect.zeek
@@ -17,7 +17,7 @@
 redef exit_only_after_terminate = T;
 
 global peers = 0;
-const test_topic = "bro/test/my_topic";
+const test_topic = "zeek/test/my_topic";
 
 event my_event(i: count)
 	{
@@ -52,7 +52,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 
 redef exit_only_after_terminate = T;
 
-const test_topic = "bro/test/my_topic";
+const test_topic = "zeek/test/my_topic";
 
 event my_event(i: count)
 	{
diff --git a/testing/btest/broker/error.zeek b/testing/btest/broker/error.zeek
index dec46bbbe3..88c72f3f4d 100644
--- a/testing/btest/broker/error.zeek
+++ b/testing/btest/broker/error.zeek
@@ -29,8 +29,8 @@ event Broker::error(code: Broker::ErrorCode, msg: string)
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
-    
+    Broker::subscribe("zeek/event/my_topic");
+
     schedule 2secs { do_something() };
     schedule 4secs { do_terminate() };
     }
diff --git a/testing/btest/broker/remote_event.zeek b/testing/btest/broker/remote_event.zeek
index 0fec6e4628..cdf74e15f3 100644
--- a/testing/btest/broker/remote_event.zeek
+++ b/testing/btest/broker/remote_event.zeek
@@ -17,7 +17,7 @@ global ping: event(msg: string, c: count);
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
+    Broker::subscribe("zeek/event/my_topic");
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     print "is_remote should be F, and is", is_remote_event();
     }
@@ -26,7 +26,7 @@ function send_event()
     {
     ++event_count;
     local e = Broker::make_event(ping, "my-message", event_count);
-    Broker::publish("bro/event/my_topic", e);
+    Broker::publish("zeek/event/my_topic", e);
     }
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
@@ -66,7 +66,7 @@ global pong: event(msg: string, c: count);
 
 event zeek_init()
         {
-        Broker::subscribe("bro/event/my_topic");
+        Broker::subscribe("zeek/event/my_topic");
         Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
         }
 
@@ -93,7 +93,7 @@ event ping(msg: string, n: count)
                 }
 
         local e = Broker::make_event(pong, msg, n);
-        Broker::publish("bro/event/my_topic", e);
+        Broker::publish("zeek/event/my_topic", e);
         }
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_any.zeek b/testing/btest/broker/remote_event_any.zeek
index d45dcfdee2..ac6721335c 100644
--- a/testing/btest/broker/remote_event_any.zeek
+++ b/testing/btest/broker/remote_event_any.zeek
@@ -17,7 +17,7 @@ global ping: event(msg: string, c: any);
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
+    Broker::subscribe("zeek/event/my_topic");
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     print "is_remote should be F, and is", is_remote_event();
     }
@@ -26,7 +26,7 @@ function send_event()
     {
     ++event_count;
     local e = Broker::make_event(ping, "my-message", event_count);
-    Broker::publish("bro/event/my_topic", e);
+    Broker::publish("zeek/event/my_topic", e);
     }
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
@@ -69,7 +69,7 @@ global pong: event(msg: string, c: any);
 
 event zeek_init()
         {
-        Broker::subscribe("bro/event/my_topic");
+        Broker::subscribe("zeek/event/my_topic");
         Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
         }
 
@@ -98,10 +98,10 @@ event ping(msg: string, n: any)
                 }
 
 		if ( (n as count) % 2 == 0 )
-			Broker::publish("bro/event/my_topic", pong, msg, n as count);
+			Broker::publish("zeek/event/my_topic", pong, msg, n as count);
 		else
 			# internals should not wrap n into another Broker::Data record
-			Broker::publish("bro/event/my_topic", pong, msg, n);
+			Broker::publish("zeek/event/my_topic", pong, msg, n);
         }
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_auto.zeek b/testing/btest/broker/remote_event_auto.zeek
index 77d98c389a..c5497997ac 100644
--- a/testing/btest/broker/remote_event_auto.zeek
+++ b/testing/btest/broker/remote_event_auto.zeek
@@ -17,8 +17,8 @@ global ping: event(msg: string, c: count);
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
-    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::subscribe("zeek/event/my_topic");
+    Broker::auto_publish("zeek/event/my_topic", ping);
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     }
 
@@ -61,8 +61,8 @@ global pong: event(msg: string, c: count);
 
 event zeek_init()
         {
-        Broker::subscribe("bro/event/my_topic");
-	Broker::auto_publish("bro/event/my_topic", pong);
+        Broker::subscribe("zeek/event/my_topic");
+        Broker::auto_publish("zeek/event/my_topic", pong);
         Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
         }
 
diff --git a/testing/btest/broker/remote_event_ssl_auth.zeek b/testing/btest/broker/remote_event_ssl_auth.zeek
index e5fdfa8fbb..7ffdae0bda 100644
--- a/testing/btest/broker/remote_event_ssl_auth.zeek
+++ b/testing/btest/broker/remote_event_ssl_auth.zeek
@@ -176,7 +176,7 @@ global ping: event(msg: string, c: count);
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
+    Broker::subscribe("zeek/event/my_topic");
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     }
 
@@ -184,7 +184,7 @@ function send_event()
     {
     ++event_count;
     local e = Broker::make_event(ping, "my-message", event_count);
-    Broker::publish("bro/event/my_topic", e);
+    Broker::publish("zeek/event/my_topic", e);
     }
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
@@ -227,7 +227,7 @@ global pong: event(msg: string, c: count);
 
 event zeek_init()
         {
-        Broker::subscribe("bro/event/my_topic");
+        Broker::subscribe("zeek/event/my_topic");
         Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
         }
 
@@ -253,7 +253,7 @@ event ping(msg: string, n: count)
                 }
 
         local e = Broker::make_event(pong, msg, n);
-        Broker::publish("bro/event/my_topic", e);
+        Broker::publish("zeek/event/my_topic", e);
         }
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_id.zeek b/testing/btest/broker/remote_id.zeek
index faa0980414..0357493230 100644
--- a/testing/btest/broker/remote_id.zeek
+++ b/testing/btest/broker/remote_id.zeek
@@ -24,7 +24,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "peer added";
-	Broker::publish_id("bro/ids/test", "test_var");
+	Broker::publish_id("zeek/ids/test", "test_var");
 	}
 
 @TEST-END-FILE
@@ -47,7 +47,7 @@ event check_var()
 event zeek_init()
 	{
 	print "intial val", test_var;
-	Broker::subscribe("bro/ids");
+	Broker::subscribe("zeek/ids");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
diff --git a/testing/btest/broker/remote_log.zeek b/testing/btest/broker/remote_log.zeek
index fa80475f6f..5a632d2f6f 100644
--- a/testing/btest/broker/remote_log.zeek
+++ b/testing/btest/broker/remote_log.zeek
@@ -44,7 +44,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/");
+	Broker::subscribe("zeek/");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
diff --git a/testing/btest/broker/remote_log_late_join.zeek b/testing/btest/broker/remote_log_late_join.zeek
index 86b9a54935..7e69bdd496 100644
--- a/testing/btest/broker/remote_log_late_join.zeek
+++ b/testing/btest/broker/remote_log_late_join.zeek
@@ -44,7 +44,7 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/");
+	Broker::subscribe("zeek/");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
diff --git a/testing/btest/broker/remote_log_types.zeek b/testing/btest/broker/remote_log_types.zeek
index beff5e997d..2417c75a41 100644
--- a/testing/btest/broker/remote_log_types.zeek
+++ b/testing/btest/broker/remote_log_types.zeek
@@ -60,7 +60,7 @@ event zeek_init() &priority=5
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/");
+	Broker::subscribe("zeek/");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
@@ -123,7 +123,7 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 		]);
 
 	local e = Broker::make_event(quit_receiver);
-	Broker::publish("bro/", e);
+	Broker::publish("zeek/", e);
 	schedule 1sec { quit_sender() };
         }
 
diff --git a/testing/btest/broker/ssl_auth_failure.zeek b/testing/btest/broker/ssl_auth_failure.zeek
index 45c091c1fb..6260616763 100644
--- a/testing/btest/broker/ssl_auth_failure.zeek
+++ b/testing/btest/broker/ssl_auth_failure.zeek
@@ -105,7 +105,7 @@ event do_terminate()
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
+    Broker::subscribe("zeek/event/my_topic");
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     schedule 5secs { do_terminate()   };
     }
diff --git a/testing/btest/broker/store/clone.zeek b/testing/btest/broker/store/clone.zeek
index 8730b017d2..d22b8b9632 100644
--- a/testing/btest/broker/store/clone.zeek
+++ b/testing/btest/broker/store/clone.zeek
@@ -50,8 +50,8 @@ event inserted()
 
 event zeek_init()
 	{
-	Broker::auto_publish("bro/events", done);
-	Broker::subscribe("bro/");
+	Broker::auto_publish("zeek/events", done);
+	Broker::subscribe("zeek/");
 
 	h = Broker::create_master("test");
 	Broker::put(h, "one", "110");
@@ -131,8 +131,8 @@ event lookup(stage: count)
 
 event zeek_init()
 	{
-	Broker::auto_publish("bro/events", inserted);
-	Broker::subscribe("bro/");
+	Broker::auto_publish("zeek/events", inserted);
+	Broker::subscribe("zeek/");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
diff --git a/testing/btest/broker/unpeer.zeek b/testing/btest/broker/unpeer.zeek
index dc4f589d4b..e246b3ddc5 100644
--- a/testing/btest/broker/unpeer.zeek
+++ b/testing/btest/broker/unpeer.zeek
@@ -36,8 +36,8 @@ event unpeer(endpoint: Broker::EndpointInfo)
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
-    Broker::auto_publish("bro/event/my_topic", print_something);
+    Broker::subscribe("zeek/event/my_topic");
+    Broker::auto_publish("zeek/event/my_topic", print_something);
     Broker::peer("127.0.0.1", to_port(getenv("BROKER_PORT")));
     }
 
@@ -67,7 +67,7 @@ event print_something(i: int)
 
 event zeek_init()
     {
-    Broker::subscribe("bro/event/my_topic");
+    Broker::subscribe("zeek/event/my_topic");
     Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
     schedule 10secs { do_terminate() };
     }
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
index 66e5bbf84d..b3f1d36219 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.zeek
@@ -22,7 +22,7 @@ redef Cluster::nodes = {
 
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
-			$topic = "bro/cluster/pool/my_pool",
+			$topic = "zeek/cluster/pool/my_pool",
 			$node_type = Cluster::PROXY
 			);
 
@@ -30,7 +30,7 @@ global my_pool: Cluster::Pool;
 
 redef Cluster::proxy_pool_spec =
 		Cluster::PoolSpec(
-			$topic = "bro/cluster/pool/proxy",
+			$topic = "zeek/cluster/pool/proxy",
 			$node_type = Cluster::PROXY,
 			$exclusive = T,
 			$max_nodes = 1 
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
index 96ff969a8a..23b56c8147 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.zeek
@@ -22,7 +22,7 @@ redef Cluster::nodes = {
 
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
-			$topic = "bro/cluster/pool/my_pool",
+			$topic = "zeek/cluster/pool/my_pool",
 			$node_type = Cluster::PROXY
 			);
 
@@ -30,7 +30,7 @@ global my_pool: Cluster::Pool;
 
 redef Cluster::proxy_pool_spec =
 		Cluster::PoolSpec(
-			$topic = "bro/cluster/pool/proxy",
+			$topic = "zeek/cluster/pool/proxy",
 			$node_type = Cluster::PROXY,
 			$exclusive = F,
 			$max_nodes = 1 
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek
index 7addee4bf7..2698a3bfab 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.zeek
@@ -21,7 +21,7 @@ event zeek_init()
 
 event NetControl::init()
 	{
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=to_port(getenv("BROKER_PORT")), $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=to_port(getenv("BROKER_PORT")), $acld_topic="zeek/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
@@ -103,7 +103,7 @@ event die()
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/event/netcontroltest");
+	Broker::subscribe("zeek/event/netcontroltest");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
@@ -116,14 +116,14 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
+	Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
+	Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
 
 	if ( r$cid == 4 )
 		{
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek
index 5603219093..b710294bf9 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.zeek
@@ -22,7 +22,7 @@ event zeek_init()
 
 event NetControl::init()
 	{
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=to_port(getenv("BROKER_PORT")), $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=to_port(getenv("BROKER_PORT")), $acld_topic="zeek/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
@@ -108,7 +108,7 @@ event die()
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/event/netcontroltest");
+	Broker::subscribe("zeek/event/netcontroltest");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
@@ -122,9 +122,9 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	print "add_rule", id, r$entity, r$ty, ar;
 
 	if ( r$cid != 3 )
-		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
+		Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	else
-		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_exists, id, r, ar$command);
+		Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_exists, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
@@ -132,9 +132,9 @@ event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetContro
 	print "remove_rule", id, r$entity, r$ty, ar;
 
 	if ( r$cid != 2 )
-		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
+		Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
 	else
-		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_error, id, r, ar$command);
+		Broker::publish("zeek/event/netcontroltest", NetControl::acld_rule_error, id, r, ar$command);
 
 	if ( r$cid == 4 )
 		{
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek
index c1d0f961a4..4773a3fa91 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.zeek
@@ -22,7 +22,7 @@ event zeek_init()
 
 event NetControl::init()
 	{
-	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=to_port(getenv("BROKER_PORT")), $topic="bro/event/netcontroltest"), T);
+	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=to_port(getenv("BROKER_PORT")), $topic="zeek/event/netcontroltest"), T);
 	NetControl::activate(netcontrol_broker, 0);
 	}
 
@@ -92,7 +92,7 @@ event die()
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/event/netcontroltest");
+	Broker::subscribe("zeek/event/netcontroltest");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
@@ -106,19 +106,19 @@ event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
 	print "add_rule", id, r$entity, r$ty;
 
 	if ( r$cid == 3 )
-		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_added, id, r, "");
+		Broker::publish("zeek/event/netcontroltest", NetControl::broker_rule_added, id, r, "");
 	if ( r$cid == 2 )
-		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_exists, id, r, "");
+		Broker::publish("zeek/event/netcontroltest", NetControl::broker_rule_exists, id, r, "");
 
 	if ( r$cid == 2 )
-		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo());
+		Broker::publish("zeek/event/netcontroltest", NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo());
 	}
 
 event NetControl::broker_remove_rule(id: count, r: NetControl::Rule, reason: string)
 	{
 	print "remove_rule", id, r$entity, r$ty, reason;
 
-	Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_removed, id, r, "");
+	Broker::publish("zeek/event/netcontroltest", NetControl::broker_rule_removed, id, r, "");
 
 	if ( r$cid == 3 )
 		{
diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek
index b84a337b9f..e1d05db7a5 100644
--- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek
+++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.zeek
@@ -18,7 +18,7 @@ global of_controller: OpenFlow::Controller;
 event zeek_init()
 	{
 	suspend_processing();
-	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, to_port(getenv("BROKER_PORT")), "bro/openflow", 42);
+	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, to_port(getenv("BROKER_PORT")), "zeek/openflow", 42);
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
@@ -88,7 +88,7 @@ redef exit_only_after_terminate = T;
 
 event zeek_init()
 	{
-	Broker::subscribe("bro/openflow");
+	Broker::subscribe("zeek/openflow");
 	Broker::listen("127.0.0.1", to_port(getenv("BROKER_PORT")));
 	}
 
@@ -105,8 +105,8 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
 	{
 	print "got flow_mod", dpid, match, flow_mod;
-	Broker::publish("bro/openflow", OpenFlow::flow_mod_success, name, match, flow_mod, "");
-	Broker::publish("bro/openflow", OpenFlow::flow_mod_failure, name, match, flow_mod, "");
+	Broker::publish("zeek/openflow", OpenFlow::flow_mod_success, name, match, flow_mod, "");
+	Broker::publish("zeek/openflow", OpenFlow::flow_mod_failure, name, match, flow_mod, "");
 	}
 
 event OpenFlow::broker_flow_clear(name: string, dpid: count)

From 86ac468882e02846537771806d9cf11ff3a62735 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 3 Jun 2019 14:34:31 +1000
Subject: [PATCH 12/91] support the newer TLS 1.3 key_share extension.

This one adds a separate new case that has to be parsed differently - if
a hello-retry-request is sent, only the namedgroup is sent - without the
additional key material.

Support for the legacy extension is retained.
---
 src/analyzer/protocol/ssl/ssl-defs.pac        |   3 +-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  16 ++++++++
 .../protocol/ssl/tls-handshake-protocol.pac   |  18 +++++++--
 .../ssl.log                                   |   6 +--
 .../scripts.base.protocols.ssl.tls13/.stdout  |  27 +++++++++++++
 .../ssl-out.log                               |  36 ++++++++++++++----
 testing/btest/Traces/tls/hrr.pcap             | Bin 0 -> 5480 bytes
 .../protocols/ssl/tls-extension-events.test   |   1 -
 .../scripts/base/protocols/ssl/tls13.test     |   4 ++
 9 files changed, 94 insertions(+), 17 deletions(-)
 create mode 100644 testing/btest/Traces/tls/hrr.pcap

diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 26eb29bfc5..6c2d6a0bfa 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -145,7 +145,7 @@ enum SSLExtensions {
 	EXT_STATUS_REQUEST_V2 = 17,
 	EXT_SIGNED_CERTIFICATE_TIMESTAMP = 18,
 	EXT_SESSIONTICKET_TLS = 35,
-	EXT_KEY_SHARE = 40,
+	EXT_KEY_SHARE_OLD = 40,
 	EXT_PRE_SHARED_KEY = 41,
 	EXT_EARLY_DATA = 42,
 	EXT_SUPPORTED_VERSIONS = 43,
@@ -154,6 +154,7 @@ enum SSLExtensions {
 	EXT_TICKET_EARLY_DATA_INFO = 46,
 	EXT_CERTIFICATE_AUTHORITIES = 47,
 	EXT_OID_FILTERS = 48,
+	EXT_KEY_SHARE = 51,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 37fa2989b4..99d95e8a7c 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -138,6 +138,18 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_hello_retry_request_key_share(rec: HandshakeRecord, namedgroup: uint16) : bool
+		%{
+		if ( ! ssl_extension_key_share )
+			return true;
+
+		VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		nglist->Assign(0u, val_mgr->GetCount(namedgroup));
+		BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
+		return true;
+		%}
+
 	function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
 		%{
 		if ( ! ssl_extension_signature_algorithm )
@@ -552,6 +564,10 @@ refine typeattr ServerHelloKeyShare += &let {
 	proc : bool = $context.connection.proc_server_key_share(rec, keyshare);
 };
 
+refine typeattr HelloRetryRequestKeyShare += &let {
+	proc : bool = $context.connection.proc_hello_retry_request_key_share(rec, namedgroup);
+};
+
 refine typeattr ClientHelloKeyShare += &let {
 	proc : bool = $context.connection.proc_client_key_share(rec, keyshares);
 };
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 1ed6816f45..479275bbe3 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -774,7 +774,8 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
-		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
+		EXT_KEY_SHARE -> key_share: KeyShare(rec, this)[] &until($element == 0 || $element != 0);
+		EXT_KEY_SHARE_OLD -> key_share_old: KeyShare(rec, this)[] &until($element == 0 || $element != 0);
 		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
@@ -852,14 +853,23 @@ type ServerHelloKeyShare(rec: HandshakeRecord) = record {
 	keyshare : KeyShareEntry;
 };
 
+type HelloRetryRequestKeyShare(rec: HandshakeRecord) = record {
+	namedgroup : uint16;
+};
+
+type ServerHelloKeyShareChoice(rec: HandshakeRecord, ext: SSLExtension) = case (ext.data_len) of {
+	2 -> hrr : HelloRetryRequestKeyShare(rec);
+	default -> server : ServerHelloKeyShare(rec);
+};
+
 type ClientHelloKeyShare(rec: HandshakeRecord) = record {
 	length: uint16;
 	keyshares : KeyShareEntry[] &until($input.length() == 0);
-};
+} &length=(length+2);
 
-type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
+type KeyShare(rec: HandshakeRecord, ext: SSLExtension) = case rec.msg_type of {
 	CLIENT_HELLO -> client_hello_keyshare : ClientHelloKeyShare(rec);
-	SERVER_HELLO -> server_hello_keyshare : ServerHelloKeyShare(rec);
+	SERVER_HELLO -> server_hello_keyshare : ServerHelloKeyShareChoice(rec, ext);
 	# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
 	default -> other : bytestring &restofdata &transient;
 };
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
index b5106d5830..b401968a6a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2018-03-27-21-57-37
+#open	2019-06-03-04-39-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1520820013.621497	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	-	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
-#close	2018-03-27-21-57-37
+1520820013.621497	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+#close	2019-06-03-04-39-51
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
index 8f99fca95c..255ea30290 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@@ -54,3 +54,30 @@ encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
+x25519
+client, TLSv10, TLSv12
+key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F
+x25519
+server, TLSv12, TLSv12
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
+established, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp]
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
+secp224r1
+client, TLSv10, TLSv12
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
+secp256r1
+server, TLSv12, TLSv12
+established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
index 6de82c114a..f363be0a53 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@@ -3,42 +3,62 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-10-07-19-21-58
+#open	2019-06-03-04-33-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1475791805.525848	ClEkJM2Vm5giqnMf4h	192.168.6.203	53227	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
 1475791805.468951	CHhAvVGS1DHFjwGM9	192.168.6.203	53226	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
-#close	2016-10-07-19-21-58
+#close	2019-06-03-04-33-19
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-10-07-19-21-59
+#open	2019-06-03-04-33-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1475794630.046060	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	F	-	-	-	-	-	-
 1475794635.195006	ClEkJM2Vm5giqnMf4h	192.168.6.203	53996	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
-#close	2016-10-07-19-21-59
+#close	2019-06-03-04-33-20
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-10-07-19-22-00
+#open	2019-06-03-04-33-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1475787575.867992	CHhAvVGS1DHFjwGM9	192.150.187.20	54980	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
 1475787575.922474	ClEkJM2Vm5giqnMf4h	192.150.187.20	54982	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
-#close	2016-10-07-19-22-00
+#close	2019-06-03-04-33-20
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-10-07-19-22-01
+#open	2019-06-03-04-33-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1475795116.906579	CHhAvVGS1DHFjwGM9	192.150.187.20	36778	138.68.41.77	443	TLSv13-draft16	TLS_CHACHA20_POLY1305_SHA256	secp384r1	-	F	unknown_ca	-	F	-	-	-	-	-	-
 1475795124.328003	ClEkJM2Vm5giqnMf4h	192.150.187.20	36782	138.68.41.77	443	TLSv13-draft16	TLS_CHACHA20_POLY1305_SHA256	secp384r1	-	F	-	-	T	-	-	-	-	-	-
-#close	2016-10-07-19-22-01
+#close	2019-06-03-04-33-21
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2019-06-03-04-33-22
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1555610808.383902	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv13	TLS_CHACHA20_POLY1305_SHA256	x25519	-	T	-	-	T	-	-	-	-	-	-
+#close	2019-06-03-04-33-22
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2019-06-03-04-33-22
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1556554523.016311	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	T	-	-	T	-	-	-	-	-	-
+#close	2019-06-03-04-33-22
diff --git a/testing/btest/Traces/tls/hrr.pcap b/testing/btest/Traces/tls/hrr.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d3d55ded24b2550d65e193f5a9e00774c188b638
GIT binary patch
literal 5480
zcmb`L2{=^i8^F&j##kdu6Vad|CYK~@)<hy@D@$oGS;kJ;!q6g1qGS{|S&FPJ)+{%b
zElVO%SA-#=g>*|<{@;h&bLrl0_j&&B<8{vG9N+u<-tS$`IjkHUtjP$17^+GMpull%
zQBVjU;!UyhadLMfI#S5?6fdH!i@O~a+=8GHX2ef%tIgIe2!cU4k?mwJUne)BtfI8M
zv<$e8MU)XAI}iIKt{y}Q7bjZ}JF*AyD8<VgP9`g@C@o9ew27$c;o(C0_Gbkp>CN&o
z(y|+&0U(eG@(>q~a8@)>iW{`>?e8>zfK>6Iz%@ML?m=<$_I3exaUm!5#eTJ*sMMXD
zJMk4+*(wVE2i}VV8V?6R^1_*rwh$}&Zg372LD-pdQKv^{ee{*_hz^2iz#k19wwv{?
zOqRw-S=46(RJnC>Di^%>26}GJHWPRQ%T$QMU~niDo>hmBoDZ*I(eO8lhJ^>f2HC-J
zaf}5={QQ*#7RZ#iIEGBoH>~K!U<`GEhQu~9uFE;kq}qQ3K^$-@&X5Okp~^oSa60+0
z0xs?=D@TbP*XNn+v1mN2!l5aB$OQQC`9WWljgLN=TgnA}{C8ZC2XdVT3I%cv0xm6Z
z4)r@<0q4&9YIvEixB(j*jSG)`r3fr9_^1qWE#>$p|3LeY!v%r@fgHZm&U9%ohPs>s
zMO@&(O#dwh0gqj4^d|=;0CMnSP{=DV(*On|Gajp^@Z@7+CWn)AoY$>{21nzD=Zy4*
zht!>IXnx03q5!pYYvc<~36#~-rZ@IsTPH8CV;)a1$zA(m?H9e@@|zJn51I!9!f_5v
zcn)Dhuowh|Mp(gi<3K{KLI{W$K;{R!3MdC6jI6<8m@qgDo*9qFv*20rY<Mi536H~~
zm{2$rB86bk7%Z|0L8DNJ9HNeF1JfvBeWc#@PjYz91TnN8gvIZ<5h`lN+fO<WUKmny
zA*!iv&gu98Us-;t?Z~D<{?dZjS)Ilk<}F)|G=3b5(8u71who{{K_l!4mEz?_ak23s
zd(Wpn0<XdSh=n%*f%`E^rP9H6B2d4J*DZ`D7_Ul#%i@&{#On-=3wb{XLJh`+!l9YH
zI((FX#%?EJl6MDbAwB>P;K0t;g1?JX$N_mKfkJ^i>)ojIJa`WDJ03ct8S*HW{4Eaw
zd9P)=l!qUKLH2|2G{s;ZiRAeVULtc>2}PrYDW!4u(zy8p%A*f5UuNmA&yq|2*ZAN8
z^RR<Wg?lOo*0qWkOpZbgyqhC?<;)2KURX2!ZOw44aLqKJP~e((fHiA@bEwO60v0|E
zSjU#<<_yS9H;|j?9+rhQ1OLavefV*l(0~PK-w%QUf%e<osdQB^hPvE7N_xRQ=Iyea
zT(D2TqtC2fYJb5k(DU!We53#G%)Ipf&rDs=FIFL%SYKw`=+$R9Q3kiAgm%Gb#?8q$
zNlK$E=M(pH?Cux&EaY!k<1|*+sVrVqxo#&`OiVx3q%oYMk~EmPU(Kar8z>h4+$*5J
zq2DW@i-ADDle4LGUvLifyI3bPp3KMk(9&4<ueDB2`$QuklPqAT7jusc_uf5PyQFR0
z%Y}RiB|dswU@v1}=li<CdOzN4GZxC#J#~?+b`78K*2P!-b{w*v!)?oVUsKfhQ!xvf
zA$v4XD3Co3u>aTIoAwFD><tjJ2?xK$Od5<?6pD$J)5*UU=!YN2FJyo$!%UE5fyF9^
zN>2l0sLTDx6wPRdew3?N>PH{9c|UR?laY-}{RksB3FJB*gK4nMh|VSRw#N<IkzBgp
zBomKxj+UzEWS#dO_Ea`gANr}9VFaqhLVQtXjZ+g&6}=GZV>kami_bqH{l|*E++&=a
zeL+gnrej+CdP#1Lwj}G*hOry^^|datZ?~A(*z}e|ruSaD!<1duLh)IJ!C+r9ho#`%
z?A^|jC%TEWc;|MadjLz>Lp3~C)k>y>8dI?xdA+?O!fF?%)@o$V4!2q&0|&3ka+nBt
zy+NU#YhEqCwSQILiDH%(>(;j)M?yDlWHT!b?#n+g$7tiAWW1cqniz^q4>1X9*~c{T
zQuNrigl&6Yn532uYkzuUIQYo@YGBUzNpWkJ?ZLf+v@?DC2hzPye%5d^H@UB(Q<La+
zS4+j%|91<@+^i_xE#m!XM~jpX<7uqPuCHQ~fm4xL<~>$YJ>u9dwe&eNl>c;f%fPj`
zMl;y}!(UI@@G6`$ex&OoB|{z%TG7SR$j<W{;U%_Of$6x+p6$dKS$tr+#`(dShqL~t
zei6;{rjK2Y5#5QQgyTl?Q01y0Ucbh@6Xx2Kqn2GkcrUY`5Xb6I`u*9(zzuP?6%JR~
z7uO8(M(I8(Ig~xR^VFT3vqrswx+>w?^gBMWhcH%`4{$k&;z<`~B=xMCThHqk1;+bC
zeU(We#dsC_hR&kbS;e?=d=@yWs!Lci5&nz28fTqgM83;OMYUj+UCfNat`_HQ%K4Sq
zs-05&{NDSt*jsNz?Xi%$FY0kzWwzt&(a{fUq$+kZ^{J;z7~{h%kFaSvurTdvn&|dA
ztY6vFgCP|JCdKx~6S7P6+c_T2)*;^FDK%$D53OdcE4A$AFWdG=Fp;o2w9Rw6q?shq
zdfa+&sAz`=Gf#Vm$enVRyU)%VioG(8Opa;3+HvfVM_=u44p+Q+Z3Xo|KD4`M6Q9)G
z>sJ;m@9yf@tsmj2^rW6O^T6S%T*R{Ox(Mk7eP3DH+S-q$)ed;?KV}=xyi>{jWqtYX
z6K02=wZGS_kdG?}xk}n0QhVu){g+!irzHIjBt&!@YgkOW3f{}B*!;{R<@uDU7+Pb<
zfNUKmlKT4GQ)OPI3L%l(UGZUq7oyw?o@25^J<7xlH&F~#&2N!eR0x7}B<N;JVQntY
zt7(~@$$cG(*tFH>9**9=-pVMlP<LpO5w6klTv7d!_DOvA{oiJ)-{4~UP|DGbMg%No
zwYouMyiIVR4e|8FY~K3<)t-8XZ|mT%w9Oa>X_d^>s7w3Z-0&PToc?J=*)jc|JtB>D
z?qxQrtXE{qT3U@;j`&;G?Hu+Eno?X-mGIe(_<DMWs@sNjtxvtrN>1%&SABK!YGk5a
z+D^uC8*i^&wO0re+Lf<dZmsGteL8GW+!b9yxt7!<!08bxq^^N%{{7-k4e`e56lIa*
zs^RO=N19uA9GsBTzqv&+Z{-Wym{6qwikFpAlEu*e%jYKdnSU}1=|JM7`pTPQUME^6
zWTaU$TST-CoH$GmELK0ZDe#f3L~z;L&4rAQQUzHUwy#svIktL(kwG6pyC`P=5Sh6b
z{JoUOK-Ze0MvsS2BJ&%Z?lBF?8>Of#uq78CWAM>sxTG2%+idP?sxH}=F*x<&EV(e1
zvmn<0dZiq%>s&zx_JsR+a~V(OHEDs5Gi-A#EUoD55);N4cE|lh^NFtD?%|a9?7Pxx
z!8s}EZxvkjMu<oZW*XFC`PN45X<S`xDUV7!)9*Z<;5TMD^fF)*)`D6)<Zor=wxY9Q
z!${^pWsH69sw;v5*5p%x&U&d;CtL3no?W?pB*kz5AFcqZ?N2->!TJvCJPj6kAh73z
zf;#_SpOawE@&7>MVjk-ZThepLKkhR$U=!M}2MPt+&nu+TVgFg^gUjAGgBPFEE-!sf
zTC`8VBPHSA>}P<UM+S8q(YblR>kLo9ExdYJSnKJ2REtq2>4E#64$TKFRs`xp=KYT<
z1f7qySQrKMnr!H0yL9(u^R#sDmK#~03mDtmqkI&@uBe+``_Xd;<cI4>1RV_uTu0Op
zm2L{gP?z^hv>Kxi_RFo)OZ%n&2kYc?P59i=%JZ#XdV=SU46qI~)5>rab8Y$c{@HO^
zdIR+i^%^>tUt3_sWkRK=w~shfmP$-%3n;FelI;K0GMGeLcUD3*&Z_G|uw8o_(ixEv
z&NKdaI^mpSsw4%=LNW3)n7#N;b>t+TCscc_h6Lt`;^^i9wJRdgEHY7&=Yu{L<X<;u
zls23`zTPFt@y!<bCfSHDq-6VYy)A{}=F}4L4M!>A5xy;QA1N(4;ZkD}&rOR0a&i7<
zSsbd?)9-$noshJ;#V3EUFyL-sPbz6RUZ25->y{w}v_&-@=w#yyy5Lfqu1uY7kN$cv
z^kwkw9@CJ`+)9kV2-Fj4gGqPEiL7$LGQ7pq^-hldEE=DCO3vP(rm-jik<HXE@ef3U
zC@CZHP3Kor5+c2sbdDxHmb~N2_SC_t+vB}sZzV477VFcMkr$3|Z4B95T(nwH%tT7}
zPF%8;?gOC{b+>z(ALM=2AgqZjS!arNPZE6WP!?>sNxxjBdY@WU+Hj9VeSNlT=DquB
zM!w~VyJq^d2pCtn?1KI`P0Zt!CO*7V`W{F0nD*APU(i#1c2?MdiqkJX8fi{`iyy=a
zDa&z^vQ5!g&p%dEWMYitbTwb!w{rfFDJDHx<tVRwRprAuW?ARpQv}nRUCF#%<%dSc
zHhQ1oXKyG}*-|;~B&@1^Z#}o$U9tPO`o37-X!xp2u-RTUGamX!?#HfK@0L3mE3-EC
zh8QRPOn$?7T%O-OATG5)j6z-h9`aA`LFt;DPJ!TEl=)K!m~P=41*HJwm*>yr_g}x=
z*kt+AErDgI-`O`<%<tBv`Mqc#<oAh@KkYllLi;ekd7^#xBqzLT`(mrd;pvfTHv6tE
z{l{E?e!HQ~Gc4q*AK?1WezBPM3pXBV!z|_cv3+P4?#o}l5g2s({@@$I5cs&@fKxcO
zv|a?xfO=s`<3=W*g4yQZQ^-h&4xeLek#BK9yy`yiBK$LP^5-`K$OQ$~uLpqVKl{TH
W_+u8lFC#6(-~5rR0GR&WAO8c~&l0}?

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
index 247b7c4e5c..99e9847fb4 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -53,7 +53,6 @@ event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes:
 event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)
 	{
 	print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
-
 	}
 
 event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count)
diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test
index 5f67e0333e..d7db1626e4 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@@ -6,6 +6,10 @@
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: zeek -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: zeek -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: zeek -C -r $TRACES/tls/hrr.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: btest-diff ssl-out.log
 # @TEST-EXEC: btest-diff .stdout
 

From 8b0098a8d44db67d6f133f81fd4f4022303d6444 Mon Sep 17 00:00:00 2001
From: Palumbo Mauro <mauro.palumbo@aizoon.it>
Date: Mon, 3 Jun 2019 17:17:38 +0200
Subject: [PATCH 13/91] remove events ntp_mode6_message and ntp_mode7_message

---
 aux/broker                                 | 2 +-
 aux/btest                                  | 2 +-
 aux/netcontrol-connectors                  | 2 +-
 doc                                        | 2 +-
 src/analyzer/protocol/ntp/events.bif       | 3 ---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 8 --------
 6 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/aux/broker b/aux/broker
index bfefac3a88..474a6d902b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit bfefac3a882b382bfb7ad749974930884da954a6
+Subproject commit 474a6d902b1c41912b216c06a74085ff3b102bad
diff --git a/aux/btest b/aux/btest
index 539c2d8253..6ece47ba64 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 539c2d82534345c62ba9a20c2e98ea5cbdea9c7e
+Subproject commit 6ece47ba6438e7a6db5c7b85a68b3c16f0911871
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 43da5d80fd..e93235aa6e 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 43da5d80fdf0923e790af3c21749f6e6241cda80
+Subproject commit e93235aa6e45820af7e23e97627845a7b2b3d919
diff --git a/doc b/doc
index 7f64a90d86..3db2ff8fa6 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 7f64a90d86fc53506f93fb4c327fdb8c4e3aab0a
+Subproject commit 3db2ff8fa65f5acb3f7807a0302d5c81db1e2227
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
index 4205b28efd..3d864fc89a 100644
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -7,6 +7,3 @@
 ## msg: The NTP message record
 ##
 event ntp_message%(c: connection, is_orig: bool, msg: NTP::Message%);
-
-event ntp_mode6_message%(c: connection, is_orig: bool, opcode: count%);
-event ntp_mode7_message%(c: connection, is_orig: bool, opcode: count%);
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index d887dd4a25..61a7472a49 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -89,11 +89,3 @@ refine flow NTP_Flow += {
 refine typeattr NTP_Association += &let {
 	proc: bool = $context.flow.proc_ntp_association(this);
 };
-
-refine typeattr NTP_Mode6 += &let {
-	proc: bool = $context.flow.proc_ntp_mode6(this);
-};
-
-refine typeattr NTP_Mode7 += &let {
-	proc: bool = $context.flow.proc_ntp_mode7(this);
-};

From 19fd5f66e814baf6f7343721b64592b3ea6564f5 Mon Sep 17 00:00:00 2001
From: Palumbo Mauro <mauro.palumbo@aizoon.it>
Date: Mon, 3 Jun 2019 17:26:46 +0200
Subject: [PATCH 14/91] refactor mode 7

---
 src/analyzer/protocol/ntp/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/ntp/ntp-mode7.pac    | 123 +++++++++++++++++++++
 src/analyzer/protocol/ntp/ntp-protocol.pac | 123 ---------------------
 src/analyzer/protocol/ntp/ntp.pac          |  12 +-
 4 files changed, 127 insertions(+), 133 deletions(-)
 create mode 100644 src/analyzer/protocol/ntp/ntp-mode7.pac

diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index 8d603f49f6..ae26c7cdcd 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -8,5 +8,5 @@ bro_plugin_begin(Bro NTP)
 	bro_plugin_cc(NTP.cc Plugin.cc)
 	bro_plugin_bif(types.bif)
 	bro_plugin_bif(events.bif)
-	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-protocol.pac)
+	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-mode7.pac ntp-protocol.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ntp/ntp-mode7.pac b/src/analyzer/protocol/ntp/ntp-mode7.pac
new file mode 100644
index 0000000000..33b88ec6c4
--- /dev/null
+++ b/src/analyzer/protocol/ntp/ntp-mode7.pac
@@ -0,0 +1,123 @@
+# This is a mode7 message as described below. 
+# The documentation below is taken from the NTP official project (www.ntp.org),
+# code v. ntp-4.2.8p13, in include/ntp_request.h.
+#
+# A mode 7 packet is used exchanging data between an NTP server
+# and a client for purposes other than time synchronization, e.g.
+# monitoring, statistics gathering and configuration.  A mode 7
+# packet has the following format:
+#
+#    0			  1		      2			  3
+#    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code    |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |  Err  | Number of data items  |  MBZ  |   Size of data item   |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |								     |
+#   |            Data (Minimum 0 octets, maximum 500 octets)        |
+#   |								     |
+#                            [...]
+#   |								     |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |               Encryption Keyid (when A bit set)               |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#   |								     |
+#   |          Message Authentication Code (when A bit set)         |
+#   |								     |
+#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#
+# where the fields are (note that the client sends requests, the server
+# responses):
+#
+# Response Bit:  This packet is a response (if clear, packet is a request).
+#
+# More Bit:	Set for all packets but the last in a response which
+#		requires more than one packet.
+#
+# Version Number: 2 for current version
+#
+# Mode:	Always 7
+#
+# Authenticated bit: If set, this packet is authenticated.
+#
+# Sequence number: For a multipacket response, contains the sequence
+#		number of this packet.  0 is the first in the sequence,
+#		127 (or less) is the last.  The More Bit must be set in
+#		all packets but the last.
+#
+# Implementation number: The number of the implementation this request code
+#		is defined by.  An implementation number of zero is used
+#		for requst codes/data formats which all implementations
+#		agree on.  Implementation number 255 is reserved (for
+#		extensions, in case we run out).
+#
+# Request code: An implementation-specific code which specifies the
+#		operation to be (which has been) performed and/or the
+#		format and semantics of the data included in the packet.
+#
+# Err:		Must be 0 for a request.  For a response, holds an error
+#		code relating to the request.  If nonzero, the operation
+#		requested wasn't performed.
+#
+#		0 - no error
+#		1 - incompatible implementation number
+#		2 - unimplemented request code
+#		3 - format error (wrong data items, data size, packet size etc.)
+#		4 - no data available (e.g. request for details on unknown peer)
+#		5-6 I don't know
+#		7 - authentication failure (i.e. permission denied)
+#
+# Number of data items: number of data items in packet.  0 to 500
+#
+# MBZ:		A reserved data field, must be zero in requests and responses.
+#
+# Size of data item: size of each data item in packet.  0 to 500
+#
+# Data:	Variable sized area containing request/response data.  For
+#		requests and responses the size in octets must be greater
+#		than or equal to the product of the number of data items
+#		and the size of a data item.  For requests the data area
+#		must be exactly 40 octets in length.  For responses the
+#		data area may be any length between 0 and 500 octets
+#		inclusive.
+#
+# Message Authentication Code: Same as NTP spec, in definition and function.
+#		May optionally be included in requests which require
+#		authentication, is never included in responses.
+#
+# The version number, mode and keyid have the same function and are
+# in the same location as a standard NTP packet.  The request packet
+# is the same size as a standard NTP packet to ease receive buffer
+# management, and to allow the same encryption procedure to be used
+# both on mode 7 and standard NTP packets.  The mac is included when
+# it is required that a request be authenticated, the keyid should be
+# zero in requests in which the mac is not included.
+#
+# The data format depends on the implementation number/request code pair
+# and whether the packet is a request or a response.  The only requirement
+# is that data items start in the octet immediately following the size
+# word and that data items be concatenated without padding between (i.e.
+# if the data area is larger than data_items*size, all padding is at
+# the end).  Padding is ignored, other than for encryption purposes.
+# Implementations using encryption might want to include a time stamp
+# or other data in the request packet padding.  The key used for requests
+# is implementation defined, but key 15 is suggested as a default.
+
+type NTP_mode7_msg = record {
+  second_byte       : uint8;
+  implementation    : uint8;
+  request_code      : uint8;
+  err_and_data_len  : uint16;
+  data              : bytestring &length=data_len;
+  have_mac          : case(auth_bit) of {
+        		true  -> mac: NTP_MAC;
+    			false -> nil: empty;
+  			};
+} &let {
+  auth_bit  : bool  = (second_byte & 0x80) > 0;
+  sequence  : uint8 = (second_byte & 0x7F);
+  error_code: uint8 = (err_and_data_len & 0xF000) >> 12;
+  data_len  : uint16 = (err_and_data_len & 0x0FFF);
+} &byteorder=bigendian &exportsourcedata;
+
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 1b36974a0c..cbac2ee09d 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -85,126 +85,3 @@ type NTP_Mode6(first_byte: uint8, version: uint8) = record {
 	opcode      : uint8 = (rem_op & 0x1f);
 	pad_length  : uint8 = (count % 32 == 0) ? 0 : 32 - (count % 32);
 };
-
-
-# From ntp/include/ntp_request.h of the ntp-project:
-#
-# A mode 7 packet is used exchanging data between an NTP server
-# and a client for purposes other than time synchronization, e.g.
-# monitoring, statistics gathering and configuration.  A mode 7
-# packet has the following format:
-#
-#    0                   1                   2                   3
-#    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code    |
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |  Err  | Number of data items  |  MBZ  |   Size of data item   |
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |                                                               |
-#   |            Data (Minimum 0 octets, maximum 500 octets)        |
-#   |                                                               |
-#                            [...]
-#   |                                                               |
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |               Encryption Keyid (when A bit set)               |
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |                                                               |
-#   |          Message Authentication Code (when A bit set)         |
-#   |                                                               |
-#   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#
-# where the fields are (note that the client sends requests, the server
-# responses):
-#
-# Response Bit:  This packet is a response (if clear, packet is a request).
-#
-# More Bit:	Set for all packets but the last in a response which
-#		requires more than one packet.
-#
-# Version Number: 2 for current version
-#
-# Mode:	Always 7
-#
-# Authenticated bit: If set, this packet is authenticated.
-#
-# Sequence number: For a multipacket response, contains the sequence
-#		number of this packet.  0 is the first in the sequence,
-#		127 (or less) is the last.  The More Bit must be set in
-#		all packets but the last.
-#
-# Implementation number: The number of the implementation this request code
-#		is defined by.  An implementation number of zero is used
-#		for requst codes/data formats which all implementations
-#		agree on.  Implementation number 255 is reserved (for
-#		extensions, in case we run out).
-#
-# Request code: An implementation-specific code which specifies the
-#		operation to be (which has been) performed and/or the
-#		format and semantics of the data included in the packet.
-#
-# Err:		Must be 0 for a request.  For a response, holds an error
-#		code relating to the request.  If nonzero, the operation
-#		requested wasn't performed.
-#
-#		0 - no error
-#		1 - incompatible implementation number
-#		2 - unimplemented request code
-#		3 - format error (wrong data items, data size, packet size etc.)
-#		4 - no data available (e.g. request for details on unknown peer)
-#		5-6 I don't know
-#		7 - authentication failure (i.e. permission denied)
-#
-# Number of data items: number of data items in packet.  0 to 500
-#
-# MBZ:		A reserved data field, must be zero in requests and responses.
-#
-# Size of data item: size of each data item in packet.  0 to 500
-#
-# Data:	Variable sized area containing request/response data.  For
-#		requests and responses the size in octets must be greater
-#		than or equal to the product of the number of data items
-#		and the size of a data item.  For requests the data area
-#		must be exactly 40 octets in length.  For responses the
-#		data area may be any length between 0 and 500 octets
-#		inclusive.
-#
-# Message Authentication Code: Same as NTP spec, in definition and function.
-#		May optionally be included in requests which require
-#		authentication, is never included in responses.
-#
-# The version number, mode and keyid have the same function and are
-# in the same location as a standard NTP packet.  The request packet
-# is the same size as a standard NTP packet to ease receive buffer
-# management, and to allow the same encryption procedure to be used
-# both on mode 7 and standard NTP packets.  The mac is included when
-# it is required that a request be authenticated, the keyid should be
-# zero in requests in which the mac is not included.
-#
-# The data format depends on the implementation number/request code pair
-# and whether the packet is a request or a response.  The only requirement
-# is that data items start in the octet immediately following the size
-# word and that data items be concatenated without padding between (i.e.
-# if the data area is larger than data_items*size, all padding is at
-# the end).  Padding is ignored, other than for encryption purposes.
-# Implementations using encryption might want to include a time stamp
-# or other data in the request packet padding.  The key used for requests
-# is implementation defined, but key 15 is suggested as a default.
-#
-type NTP_Mode7(first_byte: uint8, version: uint8) = record {
-	second_byte       : uint8;
-	implementation_num: uint8;
-	request_code      : uint8;
-	err_and_data_len  : uint16;
-	data              : bytestring &length=data_len;
-	have_mac          : case(auth_bit) of {
-		true  -> mac: NTP_MAC;
-		false -> nil: empty;
-	};
-} &let {
-	auth_bit  : bool  = (second_byte & 0x80) > 0;
-	sequence  : uint8 = (second_byte & 0x7F);
-	error_code: uint8 = (err_and_data_len & 0xF000) >> 12;
-	data_len  : uint16 = (err_and_data_len & 0x0FFF);
-};
-
diff --git a/src/analyzer/protocol/ntp/ntp.pac b/src/analyzer/protocol/ntp/ntp.pac
index 5ec3957078..6ee6027f76 100644
--- a/src/analyzer/protocol/ntp/ntp.pac
+++ b/src/analyzer/protocol/ntp/ntp.pac
@@ -1,15 +1,10 @@
-# Generated by binpac_quickstart
-
-# Analyzer for Network Time Protocol
-#  - ntp-protocol.pac: describes the NTP protocol messages
-#  - ntp-analyzer.pac: describes the NTP analyzer code
 
 %include binpac.pac
 %include bro.pac
 
 %extern{
+	#include "types.bif.h" 
 	#include "events.bif.h"
-	#include "types.bif.h"
 %}
 
 analyzer NTP withcontext {
@@ -17,17 +12,16 @@ analyzer NTP withcontext {
 	flow:       NTP_Flow;
 };
 
-# Our connection consists of two flows, one in each direction.
 connection NTP_Conn(bro_analyzer: BroAnalyzer) {
 	upflow   = NTP_Flow(true);
 	downflow = NTP_Flow(false);
 };
 
+%include ntp-mode7.pac
 %include ntp-protocol.pac
 
-# Now we define the flow:
 flow NTP_Flow(is_orig: bool) {
 	datagram = NTP_PDU(is_orig) withcontext(connection, this);
 };
 
-%include ntp-analyzer.pac
\ No newline at end of file
+%include ntp-analyzer.pac

From 411908a102a2fd97b5092bc3dfadb7213de3564a Mon Sep 17 00:00:00 2001
From: Palumbo Mauro <mauro.palumbo@aizoon.it>
Date: Mon, 3 Jun 2019 17:46:22 +0200
Subject: [PATCH 15/91] extend and refactor several fields

---
 src/analyzer/protocol/ntp/CMakeLists.txt   |   8 +-
 src/analyzer/protocol/ntp/NTP.cc           |  11 +-
 src/analyzer/protocol/ntp/NTP.h            |  24 +--
 src/analyzer/protocol/ntp/Plugin.cc        |   9 +-
 src/analyzer/protocol/ntp/events.bif       |  14 +-
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 178 +++++++++++++--------
 src/analyzer/protocol/ntp/ntp-protocol.pac | 138 ++++++++--------
 src/analyzer/protocol/ntp/types.bif        |   5 +-
 8 files changed, 209 insertions(+), 178 deletions(-)

diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index ae26c7cdcd..14fe87470d 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -1,12 +1,10 @@
-# Generated by binpac_quickstart
 
 include(BroPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro NTP)
-	bro_plugin_cc(NTP.cc Plugin.cc)
-	bro_plugin_bif(types.bif)
-	bro_plugin_bif(events.bif)
-	bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-mode7.pac ntp-protocol.pac)
+bro_plugin_cc(NTP.cc Plugin.cc)
+bro_plugin_bif(types.bif events.bif)
+bro_plugin_pac(ntp.pac ntp-analyzer.pac ntp-mode7.pac ntp-protocol.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
index 6918578a02..9a88138206 100644
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -1,5 +1,3 @@
-// Generated by binpac_quickstart
-
 #include "NTP.h"
 
 #include "Reporter.h"
@@ -9,12 +7,9 @@
 using namespace analyzer::NTP;
 
 NTP_Analyzer::NTP_Analyzer(Connection* c)
-
-: analyzer::Analyzer("NTP", c)
-
+	: analyzer::Analyzer("NTP", c)
 	{
 	interp = new binpac::NTP::NTP_Conn(this);
-	
 	}
 
 NTP_Analyzer::~NTP_Analyzer()
@@ -24,13 +19,11 @@ NTP_Analyzer::~NTP_Analyzer()
 
 void NTP_Analyzer::Done()
 	{
-	
 	Analyzer::Done();
-	
 	}
 
 void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
-	 			  bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
+				    bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index f7d9912131..c155fb3135 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -1,5 +1,3 @@
-// Generated by binpac_quickstart
-
 #ifndef ANALYZER_PROTOCOL_NTP_NTP_H
 #define ANALYZER_PROTOCOL_NTP_NTP_H
 
@@ -12,29 +10,23 @@
 
 namespace analyzer { namespace NTP {
 
-class NTP_Analyzer
-
-: public analyzer::Analyzer {
-
+class NTP_Analyzer : public analyzer::Analyzer {
 public:
-	NTP_Analyzer(Connection* conn);
-	virtual ~NTP_Analyzer();
+	explicit NTP_Analyzer(Connection* conn);
+	~NTP_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
-	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NTP_Analyzer(conn); }
 
 protected:
 	binpac::NTP::NTP_Conn* interp;
-	
 };
 
-} } // namespace analyzer::* 
+} } // namespace analyzer::*
 
 #endif
diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc
index 2ff9d52d66..6a742b9fcc 100644
--- a/src/analyzer/protocol/ntp/Plugin.cc
+++ b/src/analyzer/protocol/ntp/Plugin.cc
@@ -1,4 +1,4 @@
-// Generated by binpac_quickstart
+// See the file  in the main distribution directory for copyright.
 
 #include "plugin/Plugin.h"
 
@@ -11,15 +11,14 @@ class Plugin : public plugin::Plugin {
 public:
 	plugin::Configuration Configure()
 		{
-		AddComponent(new ::analyzer::Component("NTP",
-		             ::analyzer::NTP::NTP_Analyzer::InstantiateAnalyzer));
+		AddComponent(new ::analyzer::Component("NTP", ::analyzer::NTP::NTP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
 		config.name = "Bro::NTP";
-		config.description = "Network Time Protocol analyzer";
+		config.description = "NTP analyzer";
 		return config;
 		}
 } plugin;
 
 }
-}
\ No newline at end of file
+}
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
index 3d864fc89a..b9f66a1160 100644
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -1,9 +1,15 @@
-## Generated for NTP time synchronization messages
+## Generated for all NTP messages. Different from many other of Bro's events,
+## this one is generated for both client-side and server-side messages.
 ##
-## For more information about NTP, refer to :rfc:`5905`
+## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
+## more information about the NTP protocol.
 ##
-## c: The connection
+## c: The connection record describing the corresponding UDP flow.
 ##
-## msg: The NTP message record
+## is_orig: 
+##
+## msg: The parsed NTP message.
+##
+## .. zeek:see:: 
 ##
 event ntp_message%(c: connection, is_orig: bool, msg: NTP::Message%);
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 61a7472a49..e061439360 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -1,91 +1,131 @@
+
 %extern{
-#include <math.h>
-#define FRAC_16 pow(2,-16)
-#define FRAC_32 pow(2,-32)
-// NTP defines the epoch from 1900, not 1970
-#define EPOCH_OFFSET -2208988800
+	#include <math.h>
+	#define FRAC_16 pow(2,-16)
+	#define FRAC_32 pow(2,-32)
+	// NTP defines the epoch from 1900, not 1970
+	#define EPOCH_OFFSET -2208988800
 %}
 
 %header{
-Val* proc_ntp_short(const NTP_Short_Time* t);
-Val* proc_ntp_timestamp(const NTP_Time* t);
+	Val* proc_ntp_short(const NTP_Short_Time* t);
+	Val* proc_ntp_timestamp(const NTP_Time* t);
 %}
 
 %code{
-Val* proc_ntp_short(const NTP_Short_Time* t)
+	Val* proc_ntp_short(const NTP_Short_Time* t)
 	{
-	if ( t->seconds() == 0 && t->fractions() == 0 )
-		return new Val(0.0, TYPE_INTERVAL);
-	return new Val(t->seconds() + t->fractions()*FRAC_16, TYPE_INTERVAL);
+  	   if ( t->seconds() == 0 && t->fractions() == 0 )
+    		return new Val(0.0, TYPE_INTERVAL);
+  	   return new Val(t->seconds() + t->fractions()*FRAC_16, TYPE_INTERVAL);
 	}
 
-Val* proc_ntp_timestamp(const NTP_Time* t)
-	{
-	if ( t->seconds() == 0 && t->fractions() == 0)
-		return new Val(0.0, TYPE_TIME);
-	return new Val(EPOCH_OFFSET + t->seconds() + (t->fractions()*FRAC_32), TYPE_TIME);
-	}
+	Val* proc_ntp_timestamp(const NTP_Time* t)
+ 	{
+   	   if ( t->seconds() == 0 && t->fractions() == 0)
+     		return new Val(0.0, TYPE_TIME);
+   	   return new Val(EPOCH_OFFSET + t->seconds() + (t->fractions()*FRAC_32), TYPE_TIME);
+ 	}
 %}
 
 refine flow NTP_Flow += {
-	function proc_ntp_association(msg: NTP_Association): bool
-		%{
-		RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
-		rv->Assign(0, new Val(${msg.version}, TYPE_COUNT));
-		rv->Assign(1, new Val(${msg.mode}, TYPE_COUNT));
-		rv->Assign(2, new Val(${msg.stratum}, TYPE_COUNT));
-		rv->Assign(3, new Val(pow(2, ${msg.poll}), TYPE_INTERVAL));
-		rv->Assign(4, new Val(pow(2, ${msg.precision}), TYPE_INTERVAL));
 
-		rv->Assign(5, proc_ntp_short(${msg.root_delay}));
-		rv->Assign(6, proc_ntp_short(${msg.root_dispersion}));
-		switch ( ${msg.stratum} )
-			{
-			case 0:
-				// unknown stratum => kiss code
-				rv->Assign(7, bytestring_to_val(${msg.reference_id}));
-				break;
-			case 1:
-				// reference clock => ref clock string
-				rv->Assign(8, bytestring_to_val(${msg.reference_id}));
-				break;
-			default:
-				// TODO: Check for v4/v6
-				const uint8* d = ${msg.reference_id}.data();
-				rv->Assign(9, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
-				break;
-			}
+        # This builds the standard msg record
+        function BuildNTPStdMsg(nsm: NTP_std_msg): BroVal
+        %{
+                RecordVal* rv = new RecordVal(BifType::Record::NTP::std);
 
-		rv->Assign(11, proc_ntp_timestamp(${msg.reference_ts}));
-		rv->Assign(12, proc_ntp_timestamp(${msg.origin_ts}));
-		rv->Assign(13, proc_ntp_timestamp(${msg.receive_ts}));
-		rv->Assign(14, proc_ntp_timestamp(${msg.transmit_ts}));
+               	rv->Assign(0, new Val(${nsm.stratum}, TYPE_COUNT));
+                rv->Assign(1, new Val(pow(2, ${nsm.poll}), TYPE_INTERVAL));
+                rv->Assign(2, new Val(pow(2, ${nsm.precision}), TYPE_INTERVAL));
+                rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
+                rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
 
-		rv->Assign(17, new Val((uint32) ${msg.extensions}->size(), TYPE_COUNT));
+              	switch ( ${nsm.stratum} )
+              	{
+                 case 0:
+                   	// unknown stratum => kiss code
+                    	rv->Assign(7, bytestring_to_val(${nsm.reference_id}));
+                    	break;
+                 case 1:
+                    // reference clock => ref clock string
+                    rv->Assign(8, bytestring_to_val(${nsm.reference_id}));
+                    break;
+                 default:
+                   // TODO: Check for v4/v6
+                   const uint8* d = ${nsm.reference_id}.data();
+                   rv->Assign(9, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+                   break;
+              	}
 
-		BifEvent::generate_ntp_message(connection()->bro_analyzer(),
-		                               connection()->bro_analyzer()->Conn(),
-		                               is_orig(), rv);
-		return true;
-		%}
+                rv->Assign(9, proc_ntp_timestamp(${nsm.reference_ts}));
+                rv->Assign(10, proc_ntp_timestamp(${nsm.origin_ts}));
+                rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
+                rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
-	function proc_ntp_mode6(msg: NTP_Mode6): bool
-		%{
-		BifEvent::generate_ntp_mode6_message(connection()->bro_analyzer(),
-		                                     connection()->bro_analyzer()->Conn(),
-		                                     is_orig(), ${msg.opcode});
-		return true;
-		%}
+                rv->Assign(15, new Val((uint32) ${nsm.extensions}->size(), TYPE_COUNT));
 
-	function proc_ntp_mode7(msg: NTP_Mode7): bool
-		%{
-		BifEvent::generate_ntp_mode7_message(connection()->bro_analyzer(),
-		                                     connection()->bro_analyzer()->Conn(),
-		                                     is_orig(), ${msg.request_code});
-		return true;
-		%}
+        	return rv;
+        %}
+
+        # This builds the control msg record
+        function BuildNTPControlMsg(ncm: NTP_control_msg): BroVal
+        %{
+                RecordVal* rv = new RecordVal(BifType::Record::NTP::control);
+
+                rv->Assign(0, new Val(${ncm.OpCode}, TYPE_COUNT));
+                rv->Assign(1, new Val(${ncm.R}, TYPE_BOOL));
+                rv->Assign(2, new Val(${ncm.E}, TYPE_BOOL));
+                rv->Assign(3, new Val(${ncm.M}, TYPE_BOOL));
+                rv->Assign(4, new Val(${ncm.sequence}, TYPE_COUNT));
+                rv->Assign(5, new Val(${ncm.status}, TYPE_COUNT));
+                rv->Assign(6, new Val(${ncm.association_id}, TYPE_COUNT));
+                rv->Assign(7, new Val(${ncm.offs}, TYPE_COUNT));
+                rv->Assign(8, new Val(${ncm.c}, TYPE_COUNT));
+                rv->Assign(9, bytestring_to_val(${ncm.data}));
+
+                return rv;
+        %}
+
+        # This builds the mode7 msg record
+        function BuildNTPMode7Msg(m7: NTP_mode7_msg): BroVal
+        %{
+                RecordVal* rv = new RecordVal(BifType::Record::NTP::mode7);
+
+                rv->Assign(0, new Val(${m7.request_code}, TYPE_COUNT));
+                rv->Assign(1, new Val(${m7.auth_bit}, TYPE_BOOL));
+                rv->Assign(2, new Val(${m7.sequence}, TYPE_COUNT));
+                rv->Assign(3, new Val(${m7.implementation}, TYPE_COUNT));
+                rv->Assign(4, new Val(${m7.error_code}, TYPE_COUNT));
+                rv->Assign(5, bytestring_to_val(${m7.data}));
+
+                return rv;
+        %}
+
+
+	function proc_ntp_message(msg: NTP_PDU): bool
+	%{
+	 	
+    	   RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
+
+	   rv->Assign(0, new Val(${msg.version}, TYPE_COUNT));
+	   rv->Assign(1, new Val(${msg.mode}, TYPE_COUNT));
+
+	   // The standard record
+           if ( ${msg.mode}>0 && ${msg.mode}<6 ) {
+	      rv->Assign(2, BuildNTPStdMsg(${msg.std})); 
+	   } else if ( ${msg.mode}==6 ) {
+	      rv->Assign(3, BuildNTPControlMsg(${msg.control}));
+	   } else if ( ${msg.mode}==7 ) {
+              rv->Assign(4, BuildNTPMode7Msg(${msg.mode7}));
+           }
+
+	   BifEvent::generate_ntp_message(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), is_orig(), rv);
+	   return true;
+	%}
 };
 
-refine typeattr NTP_Association += &let {
-	proc: bool = $context.flow.proc_ntp_association(this);
+refine typeattr NTP_PDU += &let {
+	proc: bool = $context.flow.proc_ntp_message(this);
 };
+
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index cbac2ee09d..4a1e8af22b 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -1,49 +1,71 @@
+
+# This is the common part in the header format. 
+# See RFC 5905 for details
 type NTP_PDU(is_orig: bool) = record {
-	first_byte : uint8;
-
-	# Modes 1-5 are standard NTP time sync
-	mode_chk_1 : case (mode>=1 && mode<=5) of {
-  		true  -> msg: NTP_Association(first_byte, mode, version);
-		false -> unk: empty;
-	} &requires(version);
-
-	mode_chk_2 : case (mode) of {
-		6 -> ctl_msg       : NTP_Mode6(first_byte, version) &restofdata;
-		7 -> mode_7        : NTP_Mode7(first_byte, version) &restofdata;
-		default -> unknown: bytestring &restofdata;
-	} &requires(version);
-
+	# The first byte of the NTP header contains the leap indicator,
+	# the version and the mode
+	first_byte     : uint8;
+  	# Modes 1-5 are standard NTP time sync
+  	standard_modes  : case (mode>=1 && mode<=5) of {
+  		true  	-> std		: NTP_std_msg;
+    		false 	-> emp		: empty;
+  	};
+  	modes_6_7     	: case (mode) of {
+		# mode 6 is for control messages (format is different from modes 6-7)
+    		6 	-> control 	: NTP_control_msg;
+		# mode 7 is reserved or private (and implementation dependent). For example used for some commands such as MONLIST 
+    		7 	-> mode7  	: NTP_mode7_msg;
+  		default -> unknown	: bytestring &restofdata;
+  	};
 } &let {
-	mode:    uint8 = (first_byte & 0x7);       # Bytes 6-8 of 8-byte value
-	version: uint8 = (first_byte & 0x38) >> 3; # Bytes 3-5 of 8-byte value
-} &byteorder=bigendian;
+	leap:     uint8  = (first_byte & 0xc0)>>6;   	# First 2 bits of 8-bits value
+	version:  uint8  = (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
+	mode:     uint8  = (first_byte & 0x07);  	# Bits 6-8 of 8-bits value
+} &byteorder=bigendian &exportsourcedata;
 
-type NTP_Association(first_byte: uint8, mode: uint8, version: uint8) = record {
-	stratum        : uint8;
-	poll           : int8;
-	precision      : int8;
-	
-	root_delay     : NTP_Short_Time;
-	root_dispersion: NTP_Short_Time;
-	reference_id   : bytestring &length=4;
-	reference_ts   : NTP_Time;
-	
-	origin_ts      : NTP_Time;
-	receive_ts     : NTP_Time;
-	transmit_ts    : NTP_Time;
+# This is the most common type of message, corresponding to modes 1-5
+# This kind of msg are used for normal operation of syncronization
+# See RFC 5905 for details
+type NTP_std_msg = record {
+        stratum        : uint8;
+        poll           : int8;
+        precision      : int8;
 
-	extensions     : Extension_Field[] &until($input.length() <= 18);
-	have_mac       : case (offsetof(have_mac) < length) of {
-		true  -> mac : NTP_MAC;
-		false -> nil : empty;
-	} &requires(length);
+        root_delay     : NTP_Short_Time;
+        root_dispersion: NTP_Short_Time;
+        reference_id   : bytestring &length=4;
+        reference_ts   : NTP_Time;
+
+        origin_ts      : NTP_Time;
+        receive_ts     : NTP_Time;
+        transmit_ts    : NTP_Time;
+        extensions     : Extension_Field[] &until($input.length() <= 18);
+        have_mac       : case (offsetof(have_mac) < length) of {
+                                true  -> mac : NTP_MAC;
+                                false -> nil : empty;
+                         } &requires(length);
 } &let {
-	leap:     bool  = (first_byte & 0xc0); # First 2 bytes of 8-byte value
-	leap_61:  bool  = (leap & 0x40) > 0;   # leap_indicator == 1
-	leap_59:  bool  = (leap & 0x80) > 0;   # leap_indicator == 2
-	leap_unk: bool  = (leap & 0xc0) > 0;   # leap_indicator == 3
-	length          = sourcedata.length();
-} &exportsourcedata;
+        length          = sourcedata.length();
+} &byteorder=bigendian &exportsourcedata;
+
+# This format is for mode==6, control msg
+# See RFC 1119 for details
+type NTP_control_msg = record {
+        second_byte	: uint8;
+        sequence	: uint16;
+        status      	: uint16;    #TODO: this must be further specified
+        association_id	: uint16;
+        offs		: uint16;
+        c	   	: uint16;
+        data		: bytestring &restofdata;
+	#auth		: #TODO
+} &let {
+        R:	bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
+        E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
+        M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
+        OpCode:	uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+} &byteorder=bigendian &exportsourcedata;
+
 
 type NTP_MAC = record {
 	key_id: uint32;
@@ -51,37 +73,17 @@ type NTP_MAC = record {
 } &length=18;
 
 type Extension_Field = record {
-	field_type: uint16;
-	length    : uint16;
-	data      : bytestring &length=length-4;
+  field_type: uint16;
+  length    : uint16;
+  data      : bytestring &length=length-4;
 };
 
 type NTP_Short_Time = record {
-	seconds:   int16;
-	fractions: int16;
+  seconds:   int16;
+  fractions: int16;
 };
 
 type NTP_Time = record {
-	seconds:   uint32;
-	fractions: uint32;
-};
-
-
-# From RFC 1305, Appendix B:
-type NTP_Mode6(first_byte: uint8, version: uint8) = record {
-	rem_op  : uint8;
-	sequence: uint16;
-	status  : uint16;
-	assoc_id: uint16;
-	offset  : uint16;
-	count   : uint16;
-	data    : bytestring &length=count;
-	pad     : padding[pad_length];
-	opt_auth: bytestring &restofdata;
-} &let {
-	response_bit: bool = (rem_op & 0x80) > 0;
-	error_bit   : bool = (rem_op & 0x40) > 0;
-	more_bit    : bool = (rem_op & 0x20) > 0;
-	opcode      : uint8 = (rem_op & 0x1f);
-	pad_length  : uint8 = (count % 32 == 0) ? 0 : 32 - (count % 32);
+  seconds:   uint32;
+  fractions: uint32;
 };
diff --git a/src/analyzer/protocol/ntp/types.bif b/src/analyzer/protocol/ntp/types.bif
index 1a5fd07faa..513bd4dbae 100644
--- a/src/analyzer/protocol/ntp/types.bif
+++ b/src/analyzer/protocol/ntp/types.bif
@@ -1,5 +1,6 @@
 module NTP;
 
+type NTP::std: record;
+type NTP::control: record;
+type NTP::mode7: record;
 type NTP::Message: record;
-
-module GLOBAL;
\ No newline at end of file

From ce07b10aa82d8149d1877959362e7727bc9fa952 Mon Sep 17 00:00:00 2001
From: Palumbo Mauro <mauro.palumbo@aizoon.it>
Date: Mon, 3 Jun 2019 17:50:32 +0200
Subject: [PATCH 16/91] extend and refact script-side of NTP analyzer

---
 scripts/base/protocols/ntp/__load__.zeek |   3 +-
 scripts/base/protocols/ntp/dpd.sig       |  14 +-
 scripts/base/protocols/ntp/main.zeek     | 268 +++++++++++++++--------
 3 files changed, 180 insertions(+), 105 deletions(-)

diff --git a/scripts/base/protocols/ntp/__load__.zeek b/scripts/base/protocols/ntp/__load__.zeek
index 4ca8806d3b..16ffbbf380 100644
--- a/scripts/base/protocols/ntp/__load__.zeek
+++ b/scripts/base/protocols/ntp/__load__.zeek
@@ -1,3 +1,2 @@
-# Generated by binpac_quickstart
 @load ./main
-@load ./consts
\ No newline at end of file
+#@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ntp/dpd.sig b/scripts/base/protocols/ntp/dpd.sig
index 2eb583c6c9..3c755ecc4f 100644
--- a/scripts/base/protocols/ntp/dpd.sig
+++ b/scripts/base/protocols/ntp/dpd.sig
@@ -1,14 +1,12 @@
-# Generated by binpac_quickstart
-
 signature dpd_ntp {
-	
-	ip-proto == udp
-	
 
-	# ## TODO: Define the payload. When Bro sees this regex, on
+ 	ip-proto == udp
+
+
+ 	# ## TODO: Define the payload. When Bro sees this regex, on
 	# ## any port, it will enable your analyzer on that
 	# ## connection.
 	# ## payload /^NTP/
 
-	enable "ntp"
-}
\ No newline at end of file
+ 	enable "ntp"
+}
diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
index b39547d6a6..de65863c39 100644
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -1,119 +1,197 @@
 module NTP;
 
-@load ./consts
+# TODO: The recommended method to do dynamic protocol detection
+# (DPD) is with the signatures in dpd.sig. 
+# For the time being, we use port detection. 
+const ports = { 123/udp };
+redef likely_server_ports += { ports };
 
 export {
-	redef enum Log::ID += { LOG };
+        redef enum Log::ID += { LOG };
 
-	type Info: record {
-		## Timestamp for when the event happened.
-		ts:        time    &log;
-		## Unique ID for the connection.
-		uid:       string  &log;
-		## The connection's 4-tuple of endpoint addresses/ports.
-		id:        conn_id &log;
-		## The version of NTP
-		ver:       count &log;
-		## The stratum (primary, secondary, etc.) of the server
-		stratum:   count &log &optional;
-		## The precision of the system clock of the client
-		precision: interval &log &optional;
-		## The time at the client that the request was sent to the server
-		org_time:   time &log &optional;
-		## The time at the server when the request was received
-		rec_time:   time &log &optional;
-		## The time at the server when the reply was sent
-		xmt_time:  time &log &optional;
-		## For stratum 0, 4 character string used for debugging
-		kiss_code: string &log &optional;
-		## For stratum 1, ID assigned to the clock by IANA
-		ref_id:    string &log &optional;
-		## The IP of the server's reference clock
-		ref_clock: addr &log &optional;
+        type Info: record {
+                ## Timestamp for when the event happened.
+                ts:     	time    &log;
+                ## Unique ID for the connection.
+                uid:    	string  &log;
+                ## The connection's 4-tuple of endpoint addresses/ports.
+                id:     	conn_id &log;
+		## The NTP version number (1, 2, 3, 4)
+        	version:	count &log;
+        	## The NTP mode being used
+                mode:		count &log;
+        	## The stratum (primary server, secondary server, etc.)
+        	stratum:	count &log;
+        	## The maximum interval between successive messages
+        	poll:		interval &log;
+        	## The precision of the system clock
+        	precision:	interval &log;
+        	## Total round-trip delay to the reference clock
+        	root_delay:	interval &log;
+        	## Total dispersion to the reference clock
+        	root_disp:	interval &log;
+        	## For stratum 0, 4 character string used for debugging
+        	kiss_code:	string &optional &log;
+        	## For stratum 1, ID assigned to the reference clock by IANA
+        	ref_id:         string &optional &log;
+        	## Above stratum 1, when using IPv4, the IP address of the reference clock
+        	ref_addr:	addr &optional &log;
+        	## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
+        	## IPv6 address of the reference clock
+        	ref_v6_hash_prefix: string &optional &log;
+        	## Time when the system clock was last set or correct
+        	ref_time:	time &log;
+        	## Time at the client when the request departed for the NTP server
+        	org_time:	time &log;
+        	## Time at the server when the request arrived from the NTP client
+        	rec_time:	time &log;
+        	## Time at the server when the response departed for the NTP client
+        	xmt_time:	time &log;
+        	## Key used to designate a secret MD5 key
+        	key_id:		count &optional &log;
+        	## MD5 hash computed over the key followed by the NTP packet header and extension fields
+        	digest:		string &optional &log;
+        	## Number of extension fields  (which are not currently parsed)
+        	num_exts:	count &default=0 &log;
+
+        	## An integer specifying the command function. Values currently defined includes:
+        	## 1 read status command/response
+        	## 2 read variables command/response
+        	## 3 write variables command/response
+        	## 4 read clock variables command/response
+        	## 5 write clock variables command/response
+        	## 6 set trap address/port command/response
+        	## 7 trap response
+        	## Other values are reserved.
+        	OpCode          : count &log;
+        	## The response bit. Set to zero for commands, one for responses.
+        	resp_bit        : bool &log;
+        	## The error bit. Set to zero for normal response, one for error response.
+		err_bit         : bool &log;
+        	## The more bit. Set to zero for last fragment, one for all others.
+	        more_bit        : bool &log;
+        	## The sequence number of the command or response
+	        sequence        : count &log;
+        	## The current status of the system, peer or clock
+	        status          : count &log;    
+        	## A 16-bit integer identifying a valid association
+	        association_id  : count &log;
+
+		## An implementation-specific code which specifies the
+		## operation to be (which has been) performed and/or the
+		## format and semantics of the data included in the packet.
+        	ReqCode         : count &log;
+        	## The authenticated bit. If set, this packet is authenticated.
+        	auth_bit        : bool &log;
+        	## For a multipacket response, contains the sequence
+       		## number of this packet.  0 is the first in the sequence,
+        	## 127 (or less) is the last.  The More Bit must be set in
+        	## all packets but the last.
+        	sequence        : count &log;
+        	## The number of the implementation this request code
+        	## is defined by.  An implementation number of zero is used
+        	## for requst codes/data formats which all implementations
+        	## agree on.  Implementation number 255 is reserved (for
+        	## extensions, in case we run out).
+        	implementation  : count &log;
+        	##  Must be 0 for a request.  For a response, holds an error
+        	##  code relating to the request.  If nonzero, the operation
+        	##  requested wasn't performed.
+        	##
+        	##               0 - no error
+        	##               1 - incompatible implementation number
+        	##               2 - unimplemented request code
+        	##               3 - format error (wrong data items, data size, packet size etc.)
+        	##               4 - no data available (e.g. request for details on unknown peer)
+        	##               5-6 I don't know
+        	##               7 - authentication failure (i.e. permission denied)
+        	err             : count &log;
 	};
 
-	## Event that can be handled to access the NTP record as it is sent on
-	## to the logging framework.
-	global log_ntp: event(rec: Info);
+        ## Event that can be handled to access the NTP record as it is sent on
+        ## to the logging framework.
+        global log_ntp: event(rec: Info);
 }
 
 redef record connection += {
-	ntp: Info &optional;
+        ntp: Info &optional;
 };
 
-const ports = { 123/udp };
-
-redef likely_server_ports += { ports };
-
-event zeek_init() &priority=5
-	{
-	Log::create_stream(NTP::LOG, [$columns=Info, $ev=log_ntp, $path="ntp"]);
-
-	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-	}
-
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
-	{
-	# Record initialization
+{
 	local info: Info;
-	if ( c?$ntp )
-		info = c$ntp;
-	else
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		info$ver = msg$version;
-		}
+	  info$ts  = network_time();
+	  info$uid = c$uid;
+	  info$id  = c$id;
+	  info$version = msg$version;
+          info$mode = msg$mode;
 
-	# From the request, we get the desired precision
-	if ( is_orig )
-		{
-		info$precision = msg$precision;
-		c$ntp = info;
-		return;
-		}
+	  if ( msg$mode < 6 ) { 
+ 		info$stratum = msg$std_msg$stratum;
+		info$poll =  msg$std_msg$poll;
+		info$precision =  msg$std_msg$precision;
+		info$root_delay =  msg$std_msg$root_delay;
+		info$root_disp =  msg$std_msg$root_disp;
 
-	# From the response, we fill out most of the rest of the fields.
-	info$stratum = msg$stratum;
-	info$org_time = msg$org_time;
-	info$rec_time = msg$rec_time;
-	info$xmt_time = msg$xmt_time;
+		if ( info?$kiss_code) 
+			info$kiss_code =  msg$std_msg$kiss_code;
+                if ( info?$ref_id)
+                        info$ref_id =  msg$std_msg$ref_id;
+                if ( info?$ref_addr)
+                        info$ref_addr =  msg$std_msg$ref_addr;
+                if ( info?$ref_v6_hash_prefix)
+                        info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
 
-	# Stratum 1 has the textual reference ID
-	if ( msg$stratum == 1 )
-		info$ref_id = gsub(msg$ref_id, /\x00*/, "");
+                info$ref_time =  msg$std_msg$ref_time;
+                info$org_time =  msg$std_msg$org_time;
+                info$rec_time =  msg$std_msg$rec_time;
+                info$xmt_time =  msg$std_msg$xmt_time;
 
-	# Higher stratums using IPv4 have the address of the reference server.
-	if ( msg$stratum > 1 )
-		{
-		if ( is_v4_addr(c$id$orig_h) )
-			info$ref_clock = msg$ref_addr;
-		}
+                if ( info?$key_id)
+                        info$key_id =  msg$std_msg$key_id;
+                if ( info?$digest)
+                        info$digest =  msg$std_msg$digest;
+
+		info$num_exts =  msg$std_msg$num_exts;
+	  }
+
+          if ( msg$mode==6 ) {
+             info$OpCode = msg$control_msg$OpCode;
+             info$resp_bit = msg$control_msg$resp_bit;
+             info$err_bit = msg$control_msg$err_bit;
+             info$more_bit = msg$control_msg$more_bit;
+             info$sequence = msg$control_msg$sequence;
+             info$status = msg$control_msg$status;
+             info$association_id = msg$control_msg$association_id;
+	  }
+
+          if ( msg$mode==7 ) {
+             info$ReqCode = msg$mode7_msg$ReqCode;
+	     info$auth_bit = msg$mode7_msg$auth_bit;
+	     info$sequence = msg$mode7_msg$sequence;
+	     info$implementation = msg$mode7_msg$implementation;
+	     info$err = msg$mode7_msg$err;
+	  }
+
+        # Copy the present packet info into the connection record
+	# If more ntp packets are sent on the same connection, the newest one
+	# will overwrite the previous
 	c$ntp = info;
-	}
+
+	# Add the service to the Conn::LOG
+	add c$service["ntp"];
+}
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
-	{
-	if ( ! is_orig )
-		{
-		Log::write(NTP::LOG, c$ntp);
-		delete c$ntp;
-		}
-	}
+{
+        # Log every ntp packet into ntp.log
+        Log::write(NTP::LOG, c$ntp);
+}
 
-event connection_state_remove(c: connection) &priority=-5
-	{
-	if ( c?$ntp )
-		Log::write(NTP::LOG, c$ntp);
-	}
+event zeek_init() &priority=5
+{
+    Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
 
-event ntp_mode6_message(c: connection, is_orig: bool, opcode: count)
-	{
-	print "Mode 6", opcode;
-	}
+    Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+}
 
-event ntp_mode7_message(c: connection, is_orig: bool, opcode: count)
-	{
-	print "Mode 7", opcode;
-	}

From c8f4d681850ebceb60013abe5b349b444c328287 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 4 Jun 2019 12:22:37 +0200
Subject: [PATCH 17/91] update ntp analyzer to val_mgr

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 50 ++++++++++++----------
 1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index e061439360..ed9284ef85 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -12,22 +12,26 @@
 	Val* proc_ntp_timestamp(const NTP_Time* t);
 %}
 
+
 %code{
 	Val* proc_ntp_short(const NTP_Short_Time* t)
 	{
   	   if ( t->seconds() == 0 && t->fractions() == 0 )
-    		return new Val(0.0, TYPE_INTERVAL);
-  	   return new Val(t->seconds() + t->fractions()*FRAC_16, TYPE_INTERVAL);
+    		return new IntervalVal(0.0, Milliseconds);
+   	   return new IntervalVal((double)ntohl(t->seconds() + t->fractions()*FRAC_16), Milliseconds);
+   	   //return new IntervalVal((double)ntohs(t->seconds() + t->fractions()*FRAC_16), Seconds);
 	}
 
 	Val* proc_ntp_timestamp(const NTP_Time* t)
  	{
    	   if ( t->seconds() == 0 && t->fractions() == 0)
      		return new Val(0.0, TYPE_TIME);
-   	   return new Val(EPOCH_OFFSET + t->seconds() + (t->fractions()*FRAC_32), TYPE_TIME);
+   	   return new IntervalVal((double)ntohl(EPOCH_OFFSET + t->seconds() + t->fractions()*FRAC_32), Milliseconds);
+   	   //return new IntervalVal((double)ntohs(EPOCH_OFFSET + t->seconds() + t->fractions()*FRAC_32), Seconds);
  	}
 %}
 
+
 refine flow NTP_Flow += {
 
         # This builds the standard msg record
@@ -35,9 +39,9 @@ refine flow NTP_Flow += {
         %{
                 RecordVal* rv = new RecordVal(BifType::Record::NTP::std);
 
-               	rv->Assign(0, new Val(${nsm.stratum}, TYPE_COUNT));
-                rv->Assign(1, new Val(pow(2, ${nsm.poll}), TYPE_INTERVAL));
-                rv->Assign(2, new Val(pow(2, ${nsm.precision}), TYPE_INTERVAL));
+               	rv->Assign(0, val_mgr->GetCount(${nsm.stratum}));
+                rv->Assign(1, new IntervalVal(pow(2, ${nsm.poll}), Milliseconds));
+                rv->Assign(2, new IntervalVal(pow(2, ${nsm.precision}), Milliseconds));
                 rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
                 rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
 
@@ -63,7 +67,7 @@ refine flow NTP_Flow += {
                 rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
                 rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
-                rv->Assign(15, new Val((uint32) ${nsm.extensions}->size(), TYPE_COUNT));
+                rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
 
         	return rv;
         %}
@@ -73,15 +77,15 @@ refine flow NTP_Flow += {
         %{
                 RecordVal* rv = new RecordVal(BifType::Record::NTP::control);
 
-                rv->Assign(0, new Val(${ncm.OpCode}, TYPE_COUNT));
-                rv->Assign(1, new Val(${ncm.R}, TYPE_BOOL));
-                rv->Assign(2, new Val(${ncm.E}, TYPE_BOOL));
-                rv->Assign(3, new Val(${ncm.M}, TYPE_BOOL));
-                rv->Assign(4, new Val(${ncm.sequence}, TYPE_COUNT));
-                rv->Assign(5, new Val(${ncm.status}, TYPE_COUNT));
-                rv->Assign(6, new Val(${ncm.association_id}, TYPE_COUNT));
-                rv->Assign(7, new Val(${ncm.offs}, TYPE_COUNT));
-                rv->Assign(8, new Val(${ncm.c}, TYPE_COUNT));
+                rv->Assign(0, val_mgr->GetCount(${ncm.OpCode}));
+                rv->Assign(1, val_mgr->GetBool(${ncm.R}));
+                rv->Assign(2, val_mgr->GetBool(${ncm.E}));
+                rv->Assign(3, val_mgr->GetBool(${ncm.M}));
+                rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
+                rv->Assign(5, val_mgr->GetCount(${ncm.status}));
+                rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
+                rv->Assign(7, val_mgr->GetCount(${ncm.offs}));
+                rv->Assign(8, val_mgr->GetCount(${ncm.c}));
                 rv->Assign(9, bytestring_to_val(${ncm.data}));
 
                 return rv;
@@ -92,11 +96,11 @@ refine flow NTP_Flow += {
         %{
                 RecordVal* rv = new RecordVal(BifType::Record::NTP::mode7);
 
-                rv->Assign(0, new Val(${m7.request_code}, TYPE_COUNT));
-                rv->Assign(1, new Val(${m7.auth_bit}, TYPE_BOOL));
-                rv->Assign(2, new Val(${m7.sequence}, TYPE_COUNT));
-                rv->Assign(3, new Val(${m7.implementation}, TYPE_COUNT));
-                rv->Assign(4, new Val(${m7.error_code}, TYPE_COUNT));
+                rv->Assign(0, val_mgr->GetCount(${m7.request_code}));
+                rv->Assign(1, val_mgr->GetBool(${m7.auth_bit}));
+                rv->Assign(2, val_mgr->GetCount(${m7.sequence}));
+                rv->Assign(3, val_mgr->GetCount(${m7.implementation}));
+                rv->Assign(4, val_mgr->GetCount(${m7.error_code}));
                 rv->Assign(5, bytestring_to_val(${m7.data}));
 
                 return rv;
@@ -108,8 +112,8 @@ refine flow NTP_Flow += {
 	 	
     	   RecordVal* rv = new RecordVal(BifType::Record::NTP::Message);
 
-	   rv->Assign(0, new Val(${msg.version}, TYPE_COUNT));
-	   rv->Assign(1, new Val(${msg.mode}, TYPE_COUNT));
+	   rv->Assign(0, val_mgr->GetCount(${msg.version}));
+	   rv->Assign(1, val_mgr->GetCount(${msg.mode}));
 
 	   // The standard record
            if ( ${msg.mode}>0 && ${msg.mode}<6 ) {

From 208768c0e928c28330e76049568e57f67d35e154 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 4 Jun 2019 16:09:32 +0200
Subject: [PATCH 18/91] add ntp records to init-bare.zeek

---
 scripts/base/init-bare.zeek | 143 ++++++++++++++++++++++++++++++++++++
 1 file changed, 143 insertions(+)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index cebd952abc..42e0eea538 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4979,6 +4979,149 @@ export {
 	const max_frame_size = 65536 &redef;
 }
 
+module NTP;
+
+export {
+
+	## NTP standard message as defined in :rfc:`5905` for mode=1-5
+	## This record contains the standard fields used by the NTP protocol
+	## for standard syncronization operations. 
+	type NTP::std: record {
+        ## The stratum (primary server, secondary server, etc.)
+        stratum:            count;
+        ## The maximum interval between successive messages
+        poll:               interval;
+        ## The precision of the system clock
+        precision:          interval;
+        ## Total round-trip delay to the reference clock
+        root_delay:         interval;
+        ## Total dispersion to the reference clock
+        root_disp:          interval;
+        ## For stratum 0, 4 character string used for debugging
+        kiss_code:          string &optional;
+        ## For stratum 1, ID assigned to the reference clock by IANA
+        ref_id:             string &optional;
+        ## Above stratum 1, when using IPv4, the IP address of the reference clock
+        ref_addr:           addr &optional;
+        ## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
+        ## IPv6 address of the reference clock
+        ref_v6_hash_prefix: string &optional;
+        ## Time when the system clock was last set or correct
+        ref_time:           time;
+        ## Time at the client when the request departed for the NTP server
+        org_time:           time;
+        ## Time at the server when the request arrived from the NTP client
+        rec_time:           time;
+        ## Time at the server when the response departed for the NTP client
+        xmt_time:           time;
+        ## Key used to designate a secret MD5 key
+        key_id:             count &optional;
+        ## MD5 hash computed over the key followed by the NTP packet header and extension fields
+        digest:             string &optional;
+        ## Number of extension fields  (which are not currently parsed)
+        num_exts:           count &default=0;
+	};
+
+        ## NTP control message as defined in :rfc:`1119` for mode=6
+        ## This record contains the fields used by the NTP protocol
+        ## for control operations.
+        type NTP::control: record {
+	## An integer specifying the command function. Values currently defined includes:
+	## 1 read status command/response
+	## 2 read variables command/response
+	## 3 write variables command/response
+	## 4 read clock variables command/response
+	## 5 write clock variables command/response
+	## 6 set trap address/port command/response
+	## 7 trap response
+	## Other values are reserved.
+        OpCode     	: count;
+	## The response bit. Set to zero for commands, one for responses.
+        resp_bit        : bool;
+        ## The error bit. Set to zero for normal response, one for error response.
+        err_bit		: bool;
+        ## The more bit. Set to zero for last fragment, one for all others.
+        more_bit        : bool;
+	## The sequence number of the command or response
+        sequence        : count;
+	## The current status of the system, peer or clock
+        status          : count;    #TODO: this must be further specified
+	## A 16-bit integer identifying a valid association
+        association_id  : count;
+	## A 16-bit integer indicating the offset, in octets, of the first octet in the data area
+        offs            : count;
+	## A 16-bit integer indicating the length of the data field, in octets
+        c		: count;
+	## The message data for the command or response + Authenticator (optional)
+        data            : string &optional;   # TODO: distinguish data and authenticator
+	};
+
+        ## NTP mode7 message for mode=7. Note that this is not defined in any RFC
+	## and is implementation dependent. We used the official implementation from
+	## the NTP official project (www.ntp.org).
+	## A mode 7 packet is used exchanging data between an NTP server
+	## and a client for purposes other than time synchronization, e.g.
+	## monitoring, statistics gathering and configuration. 
+	## For details see the documentation from the NTP official project (www.ntp.org),
+	## code v. ntp-4.2.8p13, in include/ntp_request.h.
+        type NTP::mode7: record {
+        ## An implementation-specific code which specifies the
+	## operation to be (which has been) performed and/or the
+	## format and semantics of the data included in the packet.
+        ReqCode		: count;
+        ## The authenticated bit. If set, this packet is authenticated.
+        auth_bit        : bool;
+        ## For a multipacket response, contains the sequence
+	## number of this packet.  0 is the first in the sequence,
+	## 127 (or less) is the last.  The More Bit must be set in
+	## all packets but the last.
+        sequence        : count;
+        ## The number of the implementation this request code
+	## is defined by.  An implementation number of zero is used
+	## for requst codes/data formats which all implementations
+	## agree on.  Implementation number 255 is reserved (for
+	## extensions, in case we run out).
+        implementation	: count;    
+        ##  Must be 0 for a request.  For a response, holds an error
+	##  code relating to the request.  If nonzero, the operation
+	##  requested wasn't performed.
+	##
+	##               0 - no error
+	##               1 - incompatible implementation number
+	##               2 - unimplemented request code
+	##               3 - format error (wrong data items, data size, packet size etc.)
+	##               4 - no data available (e.g. request for details on unknown peer)
+	##               5-6 I don't know
+	##               7 - authentication failure (i.e. permission denied)
+        err  		: count;
+        ## Rest of data
+        data            : string &optional;   # TODO: can be further parsed
+        };
+
+        ## NTP message as defined in :rfc:`5905`.
+        ## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
+        type NTP::Message: record {
+        ## The NTP version number (1, 2, 3, 4)
+        version:            count;
+        ## The NTP mode being used
+        mode:               count;
+	## If mode=1-5, the standard fields for syncronization operations are here.
+	## See :rfc:`5905`
+	std_msg:	    NTP::std &optional;
+	## If mode=6, the fields for control operations are here.
+	## See :rfc:`1119`
+	control_msg:	    NTP::control &optional;
+        ## If mode=7, the fields for extra operations are here.
+        ## Note that this is not defined in any RFC
+        ## and is implementation dependent. We used the official implementation from
+        ## the NTP official project (www.ntp.org).
+        ## A mode 7 packet is used exchanging data between an NTP server
+        ## and a client for purposes other than time synchronization, e.g.
+        ## monitoring, statistics gathering and configuration.
+        mode7_msg:	    NTP::mode7 &optional;
+        };
+}
+
 module Cluster;
 export {
 	type Cluster::Pool: record {};

From 75b7be302f044752f7e7146ca66c36059c695974 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 4 Jun 2019 17:10:57 +0200
Subject: [PATCH 19/91] fix problem with time vals

---
 aux/broker                                 |  2 +-
 aux/btest                                  |  2 +-
 aux/netcontrol-connectors                  |  2 +-
 doc                                        |  2 +-
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 12 +++++-------
 5 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/aux/broker b/aux/broker
index 474a6d902b..bfefac3a88 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 474a6d902b1c41912b216c06a74085ff3b102bad
+Subproject commit bfefac3a882b382bfb7ad749974930884da954a6
diff --git a/aux/btest b/aux/btest
index 6ece47ba64..539c2d8253 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 6ece47ba6438e7a6db5c7b85a68b3c16f0911871
+Subproject commit 539c2d82534345c62ba9a20c2e98ea5cbdea9c7e
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index e93235aa6e..6501fef1ff 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit e93235aa6e45820af7e23e97627845a7b2b3d919
+Subproject commit 6501fef1fffc0b49dda59b3716b03034edcfeee6
diff --git a/doc b/doc
index 3db2ff8fa6..7f64a90d86 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 3db2ff8fa65f5acb3f7807a0302d5c81db1e2227
+Subproject commit 7f64a90d86fc53506f93fb4c327fdb8c4e3aab0a
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index ed9284ef85..8a94db1d18 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -17,17 +17,15 @@
 	Val* proc_ntp_short(const NTP_Short_Time* t)
 	{
   	   if ( t->seconds() == 0 && t->fractions() == 0 )
-    		return new IntervalVal(0.0, Milliseconds);
-   	   return new IntervalVal((double)ntohl(t->seconds() + t->fractions()*FRAC_16), Milliseconds);
-   	   //return new IntervalVal((double)ntohs(t->seconds() + t->fractions()*FRAC_16), Seconds);
+    		return new Val(0.0, TYPE_INTERVAL);
+   	   return new Val(t->seconds() + t->fractions()*FRAC_16, TYPE_INTERVAL);
 	}
 
 	Val* proc_ntp_timestamp(const NTP_Time* t)
  	{
    	   if ( t->seconds() == 0 && t->fractions() == 0)
      		return new Val(0.0, TYPE_TIME);
-   	   return new IntervalVal((double)ntohl(EPOCH_OFFSET + t->seconds() + t->fractions()*FRAC_32), Milliseconds);
-   	   //return new IntervalVal((double)ntohs(EPOCH_OFFSET + t->seconds() + t->fractions()*FRAC_32), Seconds);
+   	   return new Val(EPOCH_OFFSET + t->seconds() + t->fractions()*FRAC_32, TYPE_TIME);
  	}
 %}
 
@@ -40,8 +38,8 @@ refine flow NTP_Flow += {
                 RecordVal* rv = new RecordVal(BifType::Record::NTP::std);
 
                	rv->Assign(0, val_mgr->GetCount(${nsm.stratum}));
-                rv->Assign(1, new IntervalVal(pow(2, ${nsm.poll}), Milliseconds));
-                rv->Assign(2, new IntervalVal(pow(2, ${nsm.precision}), Milliseconds));
+                rv->Assign(1, new Val(pow(2, ${nsm.poll}), TYPE_INTERVAL));
+                rv->Assign(2, new Val(pow(2, ${nsm.precision}), TYPE_INTERVAL));
                 rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
                 rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
 

From 50f265353bb47c8e54a3daa5f5c7d4f21622423b Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 4 Jun 2019 17:59:18 +0200
Subject: [PATCH 20/91] add tests for ntp protocol (WIP)

---
 .../scripts.base.protocols.ntp.ntp/.stdout    |  16 +++++++
 .../scripts.base.protocols.ntp.ntp/ntp.log    |  25 +++++++++++
 .../scripts.base.protocols.ntp.ntp2/.stdout   |  18 ++++++++
 .../scripts.base.protocols.ntp.ntp2/ntp.log   |  27 ++++++++++++
 .../scripts.base.protocols.ntp.ntp3/.stdout   |  30 ++++++++++++++
 .../scripts.base.protocols.ntp.ntp3/ntp.log   |  39 ++++++++++++++++++
 testing/btest/Traces/ntp/NTP_sync.pcap        | Bin 0 -> 3851 bytes
 testing/btest/Traces/ntp/ntp.pcap             | Bin 0 -> 3416 bytes
 testing/btest/Traces/ntp/ntp2.pcap            | Bin 0 -> 3734 bytes
 testing/btest/Traces/ntp/ntpmode67.pcap       | Bin 0 -> 1194 bytes
 .../btest/scripts/base/protocols/ntp/ntp.test |  11 +++++
 .../scripts/base/protocols/ntp/ntp2.test      |  11 +++++
 .../scripts/base/protocols/ntp/ntp3.test      |  11 +++++
 .../scripts/base/protocols/ntp/ntpmode67.test |   9 ++++
 14 files changed, 197 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
 create mode 100644 testing/btest/Traces/ntp/NTP_sync.pcap
 create mode 100644 testing/btest/Traces/ntp/ntp.pcap
 create mode 100644 testing/btest/Traces/ntp/ntp2.pcap
 create mode 100644 testing/btest/Traces/ntp/ntpmode67.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ntp/ntp.test
 create mode 100644 testing/btest/scripts/base/protocols/ntp/ntp2.test
 create mode 100644 testing/btest/scripts/base/protocols/ntp/ntp3.test
 create mode 100644 testing/btest/scripts/base/protocols/ntp/ntpmode67.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
new file mode 100644
index 0000000000..01f587e829
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
@@ -0,0 +1,16 @@
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.07135, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246614.027421, rec_time=1559246614.048376, xmt_time=1559246614.048407, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.032959, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246617.027452, rec_time=1559246617.040799, xmt_time=1559246617.040813, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001266, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246560.207644, org_time=1559246619.027384, rec_time=1559246619.054018, xmt_time=1559246619.054053, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246620.027461, rec_time=1559246620.040139, xmt_time=1559246620.040206, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013397, root_disp=0.053787, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559244627.070973, org_time=1559246620.027408, rec_time=1559246620.043959, xmt_time=1559246620.043985, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.036545, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246620.027475, rec_time=1559246620.048058, xmt_time=1559246620.048074, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.033463, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246621.027421, rec_time=1559246621.073143, xmt_time=1559246621.073172, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013733, root_disp=0.041672, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245709.302032, org_time=1559246622.027446, rec_time=1559246622.071899, xmt_time=1559246622.071924, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.038559, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246622.027478, rec_time=1559246622.068521, xmt_time=1559246622.06856, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246622.0, org_time=1559246622.027384, rec_time=1559246622.073734, xmt_time=1559246622.07374, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.03743, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246622.027464, rec_time=1559246622.086267, xmt_time=1559246622.086348, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.011642, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246623.027478, rec_time=1559246623.041209, xmt_time=1559246623.04122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036835, root_disp=0.046951, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245789.870424, org_time=1559246623.027521, rec_time=1559246623.04836, xmt_time=1559246623.048416, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.025497, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246626.027514, rec_time=1559246626.044105, xmt_time=1559246626.044139, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246626.027432, rec_time=1559246626.058084, xmt_time=1559246626.058151, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011765, root_disp=0.001526, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245638.390748, org_time=1559246627.027459, rec_time=1559246627.050401, xmt_time=1559246627.050438, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
new file mode 100644
index 0000000000..d5ef690ea5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
@@ -0,0 +1,25 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open	2019-06-04-15-48-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1559246614.074475	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.071350	-	-	-	-	1559245852.721794	1559246614.027421	1559246614.048376	1559246614.048407	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246617.063504	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.032959	-	-	-	-	1559245541.537424	1559246617.027452	1559246617.040799	1559246617.040813	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246619.074513	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001266	-	-	-	-	1559246560.207644	1559246619.027384	1559246619.054018	1559246619.054053	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.059693	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000275	-	-	-	-	1559246481.481997	1559246620.027461	1559246620.040139	1559246620.040206	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.065302	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013397	0.053787	-	-	-	-	1559244627.070973	1559246620.027408	1559246620.043959	1559246620.043985	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.065335	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.036545	-	-	-	-	1559245278.442390	1559246620.027475	1559246620.048058	1559246620.048074	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246621.095645	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.033463	-	-	-	-	1559245577.265702	1559246621.027421	1559246621.073143	1559246621.073172	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.092519	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013733	0.041672	-	-	-	-	1559245709.302032	1559246622.027446	1559246622.071899	1559246622.071924	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.092556	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.038559	-	-	-	-	1559245178.020777	1559246622.027478	1559246622.068521	1559246622.068560	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.100109	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246622.000000	1559246622.027384	1559246622.073734	1559246622.073740	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.100152	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.037430	-	-	-	-	1559245356.576177	1559246622.027464	1559246622.086267	1559246622.086348	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.062844	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.011642	-	-	-	-	1559246412.455332	1559246623.027478	1559246623.041209	1559246623.041220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.070217	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036835	0.046951	-	-	-	-	1559245789.870424	1559246623.027521	1559246623.048360	1559246623.048416	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.065984	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.025497	-	-	-	-	1559246283.180069	1559246626.027514	1559246626.044105	1559246626.044139	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.075079	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.037491	-	-	-	-	1559245356.576177	1559246626.027432	1559246626.058084	1559246626.058151	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246627.073485	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011765	0.001526	-	-	-	-	1559245638.390748	1559246627.027459	1559246627.050401	1559246627.050438	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-04-15-48-36
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
new file mode 100644
index 0000000000..4d29c17d7d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
@@ -0,0 +1,18 @@
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.075409, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246885.027449, rec_time=1559246885.069212, xmt_time=1559246885.069247, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.037018, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246887.027425, rec_time=1559246887.050758, xmt_time=1559246887.050774, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246888.030021, rec_time=1559246888.22033, xmt_time=1559246888.220401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001236, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246882.967102, org_time=1559246888.027454, rec_time=1559246888.234035, xmt_time=1559246888.234061, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.040573, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246889.027449, rec_time=1559246889.061203, xmt_time=1559246889.06122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013596, root_disp=0.025208, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246828.086879, org_time=1559246890.027523, rec_time=1559246890.060644, xmt_time=1559246890.060687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246890.027512, rec_time=1559246890.069012, xmt_time=1559246890.069048, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246890.0, org_time=1559246890.027469, rec_time=1559246890.070262, xmt_time=1559246890.070268, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.015671, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246891.027395, rec_time=1559246891.051818, xmt_time=1559246891.051827, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013657, root_disp=0.025818, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246788.670839, org_time=1559246891.029953, rec_time=1559246891.061992, xmt_time=1559246891.062023, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.042603, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246892.027401, rec_time=1559246892.05139, xmt_time=1559246892.051436, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246894.027491, rec_time=1559246894.059304, xmt_time=1559246894.05938, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011917, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246667.219303, org_time=1559246898.027403, rec_time=1559246898.077958, xmt_time=1559246898.078029, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036819, root_disp=0.050842, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246822.40751, org_time=1559246898.029953, rec_time=1559246898.078347, xmt_time=1559246898.07843, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.029602, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246900.030036, rec_time=1559246900.08881, xmt_time=1559246900.088844, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041595, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246900.027439, rec_time=1559246900.103765, xmt_time=1559246900.103887, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=3, std_msg=[stratum=0, poll=16.0, precision=0.015625, root_delay=1.0, root_disp=1.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1101309131.444112, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.000122, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=CTD\x00, ref_time=1559246910.937978, org_time=1101309131.444112, rec_time=1559246940.281161, xmt_time=1559246940.281191, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
new file mode 100644
index 0000000000..e49c170785
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
@@ -0,0 +1,27 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open	2019-06-04-15-48-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1559246885.088815	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.075409	-	-	-	-	1559245852.721794	1559246885.027449	1559246885.069212	1559246885.069247	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246887.060766	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.037018	-	-	-	-	1559245541.537424	1559246887.027425	1559246887.050758	1559246887.050774	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.422200	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000565	-	-	-	-	1559246481.481997	1559246888.030021	1559246888.220330	1559246888.220401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.422229	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001236	-	-	-	-	1559246882.967102	1559246888.027454	1559246888.234035	1559246888.234061	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246889.075261	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.040573	-	-	-	-	1559245278.442390	1559246889.027449	1559246889.061203	1559246889.061220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.076319	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013596	0.025208	-	-	-	-	1559246828.086879	1559246890.027523	1559246890.060644	1559246890.060687	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.082370	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.037491	-	-	-	-	1559245577.265702	1559246890.027512	1559246890.069012	1559246890.069048	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.094824	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246890.000000	1559246890.027469	1559246890.070262	1559246890.070268	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.068733	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.015671	-	-	-	-	1559246412.455332	1559246891.027395	1559246891.051818	1559246891.051827	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.075965	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013657	0.025818	-	-	-	-	1559246788.670839	1559246891.029953	1559246891.061992	1559246891.062023	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246892.077560	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.042603	-	-	-	-	1559245178.020777	1559246892.027401	1559246892.051390	1559246892.051436	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246894.070325	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.041504	-	-	-	-	1559245356.576177	1559246894.027491	1559246894.059304	1559246894.059380	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.094782	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011917	0.000565	-	-	-	-	1559246667.219303	1559246898.027403	1559246898.077958	1559246898.078029	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.094827	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036819	0.050842	-	-	-	-	1559246822.407510	1559246898.029953	1559246898.078347	1559246898.078430	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.102991	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.029602	-	-	-	-	1559246283.180069	1559246900.030036	1559246900.088810	1559246900.088844	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.111834	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.041595	-	-	-	-	1559245356.576177	1559246900.027439	1559246900.103765	1559246900.103887	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246940.262220	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	3	0	16.000000	0.015625	1.000000	1.000000	-	-	-	-	0.000000	0.000000	0.000000	1101309131.444112	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246940.304152	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	4	1	16.000000	0.000000	0.000000	0.000122	-	-	-	-	1559246910.937978	1101309131.444112	1559246940.281161	1559246940.281191	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-04-15-48-51
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
new file mode 100644
index 0000000000..f472ab8a40
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
@@ -0,0 +1,30 @@
+ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000004, root_delay=0.109238, root_disp=0.081726, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.551001, org_time=1096255084.922896, rec_time=1096255083.809713, xmt_time=1096255083.80976, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.030319, root_disp=0.185547, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096252181.259041, org_time=1096255084.922896, rec_time=1096255083.821124, xmt_time=1096255083.821134, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.060455, root_disp=7.46431, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1095788645.064548, org_time=1096255084.922896, rec_time=1096255083.848508, xmt_time=1096255083.848601, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.023254, root_disp=0.012848, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254901.858123, org_time=1096255084.922896, rec_time=1096255083.828025, xmt_time=1096255083.828189, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.015015, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.213801, org_time=1096255084.922896, rec_time=1096255083.829249, xmt_time=1096255083.829301, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000008, root_delay=0.072678, root_disp=0.035049, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254326.1896, org_time=1096255084.922896, rec_time=1096255083.824154, xmt_time=1096255083.824174, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.00032, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1096255078.223498, org_time=1096255084.932911, rec_time=1096255083.836845, xmt_time=1096255083.83687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.123322, root_disp=0.039917, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254970.010788, org_time=1096255084.922896, rec_time=1096255083.825662, xmt_time=1096255083.825692, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.016632, root_disp=0.028641, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254406.517429, org_time=1096255084.932911, rec_time=1096255083.853291, xmt_time=1096255083.853336, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.01236, root_disp=0.022202, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096255027.694744, org_time=1096255084.932911, rec_time=1096255083.850895, xmt_time=1096255083.850907, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.009857, root_disp=0.043747, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254508.255586, org_time=1096255084.932911, rec_time=1096255083.850965, xmt_time=1096255083.851024, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.056396, root_disp=0.062164, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096253376.841474, org_time=1096255084.932911, rec_time=1096255083.847619, xmt_time=1096255083.847644, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000015, root_delay=0.081268, root_disp=0.029877, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254706.14029, org_time=1096255084.922896, rec_time=1096255083.850451, xmt_time=1096255083.850465, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.029846, root_disp=0.045456, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254209.896379, org_time=1096255084.922896, rec_time=1096255083.849099, xmt_time=1096255083.849269, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.000504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=CDMA, ref_time=1096255068.944018, org_time=1096255084.922896, rec_time=1096255083.827772, xmt_time=1096255083.828313, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
new file mode 100644
index 0000000000..c0f8be47a8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
@@ -0,0 +1,39 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open	2019-06-04-15-48-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1096255084.954975	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.955306	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.955760	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956155	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956577	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956975	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.957457	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.957903	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.958625	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.959273	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.960065	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.960866	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.961475	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.962222	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.962915	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.012029	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	2	3	1024.000000	0.000004	0.109238	0.081726	-	-	-	-	1096254668.551001	1096255084.922896	1096255083.809713	1096255083.809760	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.049280	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	2	2	1024.000000	0.000001	0.030319	0.185547	-	-	-	-	1096252181.259041	1096255084.922896	1096255083.821124	1096255083.821134	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.092991	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	2	2	1024.000000	0.000008	0.060455	7.464310	-	-	-	-	1095788645.064548	1096255084.922896	1096255083.848508	1096255083.848601	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.120557	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	2	2	1024.000000	0.000031	0.023254	0.012848	-	-	-	-	1096254901.858123	1096255084.922896	1096255083.828025	1096255083.828189	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.185955	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	2	2	1024.000000	0.000001	0.015015	0.037491	-	-	-	-	1096254668.213801	1096255084.922896	1096255083.829249	1096255083.829301	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.223026	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	2	3	1024.000000	0.000008	0.072678	0.035049	-	-	-	-	1096254326.189600	1096255084.922896	1096255083.824154	1096255083.824174	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.280949	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	2	1	1024.000000	0.000015	0.000000	0.000320	-	-	-	-	1096255078.223498	1096255084.932911	1096255083.836845	1096255083.836870	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.304774	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	2	2	1024.000000	0.000031	0.123322	0.039917	-	-	-	-	1096254970.010788	1096255084.922896	1096255083.825662	1096255083.825692	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.353360	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	2	2	1024.000000	0.000008	0.016632	0.028641	-	-	-	-	1096254406.517429	1096255084.932911	1096255083.853291	1096255083.853336	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.406368	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	2	2	1024.000000	0.000004	0.012360	0.022202	-	-	-	-	1096255027.694744	1096255084.932911	1096255083.850895	1096255083.850907	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.439833	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	2	2	1024.000000	0.000001	0.009857	0.043747	-	-	-	-	1096254508.255586	1096255084.932911	1096255083.850965	1096255083.851024	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.480955	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	2	2	1024.000000	0.000001	0.056396	0.062164	-	-	-	-	1096253376.841474	1096255084.932911	1096255083.847619	1096255083.847644	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.522297	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	2	2	1024.000000	0.000015	0.081268	0.029877	-	-	-	-	1096254706.140290	1096255084.922896	1096255083.850451	1096255083.850465	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.562197	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	2	2	1024.000000	0.000004	0.029846	0.045456	-	-	-	-	1096254209.896379	1096255084.922896	1096255083.849099	1096255083.849269	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.599961	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	2	1	1024.000000	0.000015	0.000000	0.000504	-	-	-	-	1096255068.944018	1096255084.922896	1096255083.827772	1096255083.828313	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-04-15-48-57
diff --git a/testing/btest/Traces/ntp/NTP_sync.pcap b/testing/btest/Traces/ntp/NTP_sync.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..997d9fbf5a658bf09d0b38e05c0273255abc6148
GIT binary patch
literal 3851
zcmbW)2~ZPP7y#gZH-UsmgNxvxcnmnzqKF)#c#;GJu|X(kTOG$5AYOzdO@arsok$(j
zY3X50TdU4UMT^yXwP>r=k|K^{8L8ay8tqiZBK4}ZfED`ww-A<TS;vIgEH9h9Z~lG%
zd+*=+%A+MLNTK)D-3`EyhN18k_2D!nyh#4X1H9D*N7Lb#MF!P;Im`i=rBDOdxi@ZC
zlto5XlmR1UAsRxM{V;+29=jkfHrFaOn@k3Y(PoyIEGzH=gI(9=C}9K(^x!+?0qmMp
z2BibUa(m?1Ep`vlQkLobvk4|_u#+Bqz!TX2?YhDn0f6T=fi!MIyqB;&Cv@6OVY{aF
zV!5z=apPgBu-zQ^{di$JAULIeJO6x(@Oo_N><(dDWj-}X*jB&!`vqZJ6Li6&f4jNg
z_ccr6AN9L#3Om=YZQU%DrlzE5`))3au@7zpUy0EgA<xmRGORUO)=7+d8#p-Vz3Stc
zYt@s_@N?FfC%ok6nU|rn>J9ScCW~#oZLNvTTq(RBAlI$Y8*RB3og!mpj&<S+i%D;0
zjRxU&IHlE~v)EQ;khkSJtIhF_&}MY3(JIT)Wo6}NW;>=hLg;|8mOUVy!<>tEB=!v8
zA&{PrnBj@J^4eA<EGEf>$A8jLtI%K?mUm*F;E+Q;`HN|<b%LT3e*g^o0X+}!R>ex&
z+BA2zqV&~AqEZ}6KL(<N$;3;{U+zfeVo@m`rR~3>glWo4*M4wEdi;r~L}s#`JK2sB
zP5@r&s&hvw`Ak$wK<U7AlyGYC(%qr%NRvJnl@d{Ej6w+~EiVn@+>y8)qS9QH7LTM7
zSq^w<$76S-nw_Fj5=y79ql60$FEJJFNF}>OrFkf+=(>wb7%vsva7PN+Eh>?H#m@PL
zV@$X>^3p=L#!0<bRMMg}aRExW?DEp+mS>6SPTkBjTq82}iAu>RjY;OE=AOIff88Ca
za=)lFAEjessYJF4KBlr0?nnm@ib^RcRja5(HX&X*-QbRtc|=r7Maj}lC9=KolD_y^
zr5rL&Pr~>egYFu%Z0V~oKpUB$f=OIi04)kgR`8P7tHULVI{<-y1NgPQbkKghij`=K
zl*@na-6hERc1_Zv7JAkib5OEZh)Dn{2<L4204x_=QoP4-R?!9^s|1*2KRap(Tg7w~
zYf=kpgi>vESUF0y(T({i#bz^oJ7NEr1_Q})6-?ynLTTaSk|sP)q`Lq<c_3SJmFt3t
zGo39r2NzB~C6t^~FLt5ioYk6u(jSdalft>sY+BN|q>-IOx)0#-5I{1opyuH{(qr`H
zuOGAtrMeDFB1-krh*KzKHnIc71fU%{R|R3*nH#jYa!Kqq{_aVd0lc>Peh8y*oTi-I
z_nuIyPulk>m6ClKlp<G1L?pa>q1=hFv@CQ<0cw&F<nH-y2atE1O=CzVFpt8w>>4MO
zY9Biepj7*Wi$N(jN%|CNGFNS*1)fW)4jaxW?)4NY{)wsSKzeMMHg$XqO1S!<&^Ti~
zf1WkMfl}e#r%7SlgFITgx+HcoKTe~!0w`kM&Sn&(=RCF&wxfi#5K47Ri%IsA^Rgm2
zN~u{M1I5&nd*NJBtcJ|mzAR5S@wq1@HJWT8pAl@r#x>K2q0}4GrPmWzqjbqOJqx8}
zQJx~wf-f;69^Rtmvn!^UcZo!1u4FvPze5$?L;OgO-yFGgnvPSi<g8amqvUK*Y({C=
zF)_)ZLFuhTO%N%}U6QPv&poyfU{F+bK0CLHWe=#0{+om`Ih&hyQt3+hI+RYnEE9>T
zJzoV;+-->lOMI7f_A)Oi&1Ckr@@qtws%dqTQYbY)dEXnQ=I+Qml%}<dNe$m(OofH?
z;lw3HY#|cKJ--WNoc7uk|9F!5WEs;ss05|njBp-*VKj~DyCHNw`F|`QC?+y<zX(=A
zBp1AtK1R7D^9_ESWToWp?JkX*{S%o_8*Z)-pc&zkmKH6b(yAjijA`3AFA+%<2oS+F
n1k(pNmvpU4FrR|r;*-^+$1C^uhx{gtsqWU*Qk3ew(?<RaB|h$V

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ntp/ntp.pcap b/testing/btest/Traces/ntp/ntp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..eaacb72d6b8f9a821eff484e613f581e5d5c3ae0
GIT binary patch
literal 3416
zcmaKvdrXsO6vp3{wqNOOe61iL4iO|8!QmBjYB~leHz_*Na%mXW2qQ9a-hy*#rh*$P
zi-Lk&ra0o1ZBoVIa8c%U!o&r{k$GVzauIKFn^WAz&Urt&uc^sf(meE^_t)o~=bZ0t
z`#IYIDUlKJB_k5};1T*Hb#^u($?!kE3s&!o-s@U^@|x@LkxCNTK;oj~jl{@roOSl_
z_%)`sDa*-v_zTND>@QW^Cq&&zh$3X+rH&<CW%a50n?DW%eMgi2!<(pvni$j)POd(J
zr2f&8|49Nv-~ow{xT0DknZieuAO&dxsU$o=rsyR^vzZWmMApMrpRO`ndBdf3{q~bl
zH5sYRRIS!*FCbZ%p4Mp4(+6QlX%8-1ERal(96U{S@|2{?Y`z18B)8xu3ur0F={6wA
z?YUUJS3UJ55faQVs6mS8$@Nx%RM7|JenE(GMN`YlzOJ&mrQ7#ZNbD!0s&d<&QC-=T
zH3CTPOi%H&Pie=I;;Z}kwBTviBnMAZojjTK{~o&n1hePd%q-CTob>a9NaFojeX2TZ
zB$Ij1=SUGf-7W%8{e-B%F<Edfx9Aa^m_Bvvs9O8UsM_|iE>t^~&-VdRFw@iFDC|@C
zEu@^j{>9INr-auWJWX@*v`BfbdoB<b>3Y8309ww;rvHJY7$)hvuaV?;4@svC4gLZt
zt%^Z1^Fd2`fME8hpZAoKxa09iTFfL#MkA?rEs`J=E<@QXWss6pMb;1?B)bJ<m?%kE
zDW%ne4B035)$H~1I8Txp=tt~R_dn35$Izp8c<Y7i)${AEArI^xP*qVo7gCM+>oSr&
z23e%1cabD}fjtsQXDmV@TyhA}UJyuMwdu#ltfM683#!`q+h(fa`+h-ED3f$(HqKM2
z0V^kxCK-YB0Q__l;+g`a-mbD^mR#d1Om#U2)k4+8Z}g`+ubhkoQaH0u_ua5hXC@-W
zSGP4!=u^=XhdzZmWzVcXkUItlX3t2QH)sXyy~{|dSk0QJloFh$6f06hPqVv)>Peen
zM|?K4BeqA#HF5TnQT3<tI;b{gpMM=l-b_z<57ASN4Jr8D1y7#49Xy3Oc}i7>9hn6L
z`);q~q%}{G#C~do1|sS2n@F<MHF^jnMF@jr9yaYu+<#`T%hDRqN>0(R7D)+APx1^T
z-BTfHcYbS!KuWmCBDr6kFcV4MZ~Is&iR*iYq*Ny9F(tjoMiS)jsz6G#GDyj)y_!ZK
zB=hxM@sy;zR*R%%S*%3(ev9+uC&S7iO(5kAKq6q`UADlMJt`!^rj1V=?4&0{wNUlT
z22!YIl~Gb5lcYL8NDx1%8~uo+!sS4EI5bapgn9aAK%Q8ES*zs011kSXSs>LN<7c2J
zZ9dCW9-Q|+-|!yhOC$xh1W05(K%%cXrUe8~#1E7NSwq!#g<>*5_f;S%j7jngBxEA*
zH;8EvNmp>5VDG7}!Hy_y=OkNTN7U}#G;cm7K>|=c+>6&x_3pmm3#1%oA|&u6H1gvf
zAti0x`QL>;>9#r~V!HD@DJORZ0U=fU(mfKiic>acA?Z^lX*faBj3^|T+K$!<q}~S%
zQi?VxD-#GQhKqOdC`o-tg`^MvWbN{|S_oOe50s)Gv3euJp?YxNQ*0tc`clZ=iI!DG
z)vb09sH(y`1Jxbrw0hBcRw72kV9LW!pdXRsvqQM=xx!OJBahCI!L7@dcDvoL*zN&U
z^KL9=uS&C2UOgH-MKY`R#&oP+;}oPoDy|FFOSs@ry_rsZN;3@B)Bz#QOA~t%^dKj{
zl8K~`n53i#B&p~<!qm2ZXh(FqGDsG+F(3*E7CyswFD0o*tw+*X39EXoiCDeLT}TnD
z_tQe?Q$Os8wa}}4VRBEzPVgeJ_LEW7F?n*TamQ+rG-nKpWYge06?kFgL{e{o!#tHb
z%@eH_5_GrsY@>Sjxw}7**z>e22dn2UM~bO!@fM*^#b-u{zcpq#^(kGoWZJJlNO#-m
zsRga(xWeN|()zMI?Kj{vcep1~L{CixJ}!8VaB+bJWW{?E+{-UomAV`DlTkH2!|)eC
JwWe>I$A6bF*b4vv

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ntp/ntp2.pcap b/testing/btest/Traces/ntp/ntp2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d242cc5c54a1443ccb12f06ec62caf736276a050
GIT binary patch
literal 3734
zcma)<dr(wm7{))?8z{TW0R%FP96<qv6wy`?gMkJK1`yK>h17**83kPeBaqPq<&r50
zOuBe0Z^&xG3W$l4kz#`e3RoHtfhC9+Mn_2ot@k~L?d+^G-*lL>5Btye+vj=T@7CU^
z|Js}g3I7O*8GLb746RtYhL9NeAK(1+-JxGu?yYULbeLp8-mN3yy-x#30P|<b_vO<!
zM78-OlPvgCXv(LUi|-LK{uUt;-z7~ql|9;;6*iqe+4X2^SIdSbJw~+)Da{5wA`y2_
zMAD-ev;RmOgW~~-knl`V0P$g#`y&Nu94WEVMJVnk#OgCbY$K8$v^e!>^?U1@G6oGJ
zqcUgy2xj#=&zaMJ6h`$V_d`#&Es@ghS+tBJMLjg~G~dKiygXM>3xs&PF0nc2F^MQr
zj-<E;e0r~Xx?D(zC$k|HDZHo192ax(0L1;A5X;PqS5pUiv{eZOCHu?_Bcocq+*rcu
zKLsIfKw3rh)VhlGv>z$XvYdL((@t+APyQyJl-A0CLLeyZg3NA$mP;glfk+BZ=RLjJ
z5n-p1RMdl{v$l0pI8y8Z3Q1+v-7y^qD(gJ=8!YKm>IEbzG-66eXc+8>3}2-1>FqoU
z={<t<+TnHO(yL*z;%DABjEt&C+<uwWwX>X%w1i4(Rs@jQ%!5ss98Wr11*Abj#w`WX
zqDD>8Lm2U!;o{+8mIP^``VG`Ju{xNt*&RqR)H-c>1Jg^)LJD++V66A{7^Szsq)sYX
z_j3UdR7~a4C!ohA;=V#8y>O+?r|Z99@2$y13h(LmL-2GT{QL#Jl#pJ3kG3*S6Ofi<
z7#UTr6HR9Igj1gfkP@h#bPeb!o$Uzx?VKmaVk1xQn0Qj#^m|SKg4%Iq(`nEOiN(Cf
zNXn*?@{5r4rXKw`%eH26q@p1TDM7mJP&E(|nCdGQENQ&R9ZC6A(!53_Rjou)eaDgO
z94S&xAtgGW^ZFeKiD9*iuX3b|T}X2Fpw&sG#4i6b11Wr+${4Qq1X+ZL)3`d-uC@0+
zmuVOoRle<`GFA(GMv?SGAdS?Ui(THHj>++)xtScvyct%bJ!7j;L9oawoFj?cQJIQn
zTwyDilWw6%Qm4{Lx&}hlF?qYO>O85e)WuAA7kZC<LZTKE91*{;B<KK^Fsj$E`oiYv
zbRbQm)@i#V*6BbgQexeIe8Sa9w$-Rk0Vchtk}hyVqKcWd{yk8gL=cyTBsq26JLrj|
z;tnLmRh_fvNaC3kQj#>f^)L{UtVdfDS&~k497)+$wDf)pCS*OcYBKua({mI;onX%u
zZze=2;ObO;HLd7Si@^h`G-xQA)!@RpNILIEBk7~D_jah!4^O%h0VLR;1e<`imm}2%
z>+0?A7(AfLyX(AJ?Ya1329O-6b=soB^i*o3z>4%Um)@dyqx1qz>ZF#RKA8pt^@Q1V
z<3LYH1dUoG{q05b)SF4j3}(3%Qg~0L=n3{}cHQge=F_PW(V~60^RXkNN~aAvvg*-i
z?FFP9swaIvdU`t-DaCm$H^<h9%SN7pOgtr77fuZVLXxewUjgX163dfXB-Pl^Jmu*K
znZ@WoMGEg}V=s7uop4+$ya(GQX1TDIpD5lOfgQk(j4Joaab<P(7ZbgK^aj<_TOXsR
zbb^$qwq?1Tr_zSk`SV_giKk?FLAn|U$#%Z^FG2MZLFZ8<Sy1Ow#(pIIdW<9KsyI^r
zeWUbDNhvlV3vGdrVn6JCgC$iApFz?B>S|>E4A;F=bI=c;-kfA70q%qXDRhM^o-yDI
z+pKW$Uup1wYWq|sWA%CE4J56hlC*(1pBn3<+H_SsX-hJ9hP6y4L@EqjEyP_yrH=j_
z>!g=}2UI&*Deg~tJKJaHeSkzi!|p1_^gg(R6zGbMvEI96lwPPwoivQ<S{)EHcFIRM
zpQ<I|`94TeQtNbf2a=9yxjL1N&D>j-6w*3r%fN>~SjSvzfwL`;DpMMf6uFDm<*|1$
zJ^4sfTba?!?P`QBAA~x60(XrPZst~pdA&x$3?rl3*Zb*Ny^xlTq}$ar(isPwPdPG7
zj<1uCr_p>mYBHbLw2&~dDCQ8WyO(vX08%*ItMKlGugPf{ZZ!_}g!nQG>yU!Ky)PXq
zrAWx`Bf=5(3WnD(%5y1lN|>f9`U#R85A&o~?;0vMOt0YxQaDe*Qq)|7Js0m9_*ewJ
zAB;QSg(2sND~6HbduPaq8=js!Lq^@BkrcaDLh&TMgB>ycp21W3RP;1?k^>QVaG?M9
F`7f+)NZSAa

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ntp/ntpmode67.pcap b/testing/btest/Traces/ntp/ntpmode67.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ca0a8ca105eb384ddf6b6eec4bd9b3ef10639dfb
GIT binary patch
literal 1194
zcmca|c+)~A1{MYcU}0bca<-&Ci@6iP!e9nugD^7SU~pw%(BORRz~CTg^q`)Bff0n~
zJ2F%=i2PF*V+0!j)&Mf)VK81(o`OxehhYj60}}&-*L#pLAXD;V@tX1mY|3>krZ59d
z`2aHIAkdU(ekO)jKsE>?1F(<o2yuZ-(PD*}@?ba6M<@Q>7H41v1<8;F$ACV+D8+-v
z=VH1bpQ}EC`Fy(@+~-<D*4sdbp9T6{rj-{@Dwc8w`CO?6=JPwdFjFzel;7=mP4NVq
zQiWj(QYr?Sa%=)#Qv$%I6k{<3o{BF6P0=^u#}k)wD?z5nrol|PSq+cNA)Sf=a~N)4

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ntp/ntp.test b/testing/btest/scripts/base/protocols/ntp/ntp.test
new file mode 100644
index 0000000000..9ad4daa8af
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/ntp.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -r $TRACES/ntp/ntp.pcap %INPUT
+# @TEST-EXEC: btest-diff ntp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+{
+   print fmt("ntp_message %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, msg);
+}
+
diff --git a/testing/btest/scripts/base/protocols/ntp/ntp2.test b/testing/btest/scripts/base/protocols/ntp/ntp2.test
new file mode 100644
index 0000000000..b59363e90e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/ntp2.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -r $TRACES/ntp/ntp2.pcap %INPUT
+# @TEST-EXEC: btest-diff ntp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+{
+   print fmt("ntp_message %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, msg);
+}
+
diff --git a/testing/btest/scripts/base/protocols/ntp/ntp3.test b/testing/btest/scripts/base/protocols/ntp/ntp3.test
new file mode 100644
index 0000000000..01feb9ed3b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/ntp3.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -r $TRACES/ntp/NTP_sync.pcap %INPUT
+# @TEST-EXEC: btest-diff ntp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+{
+   print fmt("ntp_message %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, msg);
+}
+
diff --git a/testing/btest/scripts/base/protocols/ntp/ntpmode67.test b/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
new file mode 100644
index 0000000000..b2100ae840
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/ntp/ntpmode67.pcap %INPUT
+
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+{
+   print fmt("ntp_message %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, msg);
+}
+

From 48cda6a81dd1255403d32dd29a635a922c647849 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Wed, 5 Jun 2019 11:17:40 +0200
Subject: [PATCH 21/91] add tests for ntp protocol (finished)

---
 .../scripts.base.protocols.ntp.ntp/.stdout    | 16 ++++++++++++++
 .../scripts.base.protocols.ntp.ntp/ntp.log    | 20 ++++++++++++++++--
 .../scripts.base.protocols.ntp.ntp2/.stdout   | 17 +++++++++++++++
 .../scripts.base.protocols.ntp.ntp2/ntp.log   | 21 +++++++++++++++++--
 .../scripts.base.protocols.ntp.ntp3/ntp.log   |  4 ++--
 .../.stdout                                   |  9 ++++++++
 .../ntp.log                                   | 18 ++++++++++++++++
 .../btest/scripts/base/protocols/ntp/ntp.test |  2 +-
 .../scripts/base/protocols/ntp/ntp2.test      |  2 +-
 .../scripts/base/protocols/ntp/ntp3.test      |  2 +-
 .../scripts/base/protocols/ntp/ntpmode67.test |  4 +++-
 11 files changed, 105 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log

diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
index 01f587e829..ffb4b4f91d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
@@ -1,16 +1,32 @@
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02417, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246548.048352, rec_time=1559246548.076756, xmt_time=1559246614.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.07135, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246614.027421, rec_time=1559246614.048376, xmt_time=1559246614.048407, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024216, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246550.040662, rec_time=1559246550.063198, xmt_time=1559246617.027452, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.032959, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246617.027452, rec_time=1559246617.040799, xmt_time=1559246617.040813, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024246, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.074199, rec_time=1559246553.094855, xmt_time=1559246619.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001266, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246560.207644, org_time=1559246619.027384, rec_time=1559246619.054018, xmt_time=1559246619.054053, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246551.034239, rec_time=1559246551.058223, xmt_time=1559246620.027408, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.067084, rec_time=1559246553.088704, xmt_time=1559246620.027461, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041266, rec_time=1559246554.063055, xmt_time=1559246620.027475, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246620.027461, rec_time=1559246620.040139, xmt_time=1559246620.040206, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013397, root_disp=0.053787, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559244627.070973, org_time=1559246620.027408, rec_time=1559246620.043959, xmt_time=1559246620.043985, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.036545, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246620.027475, rec_time=1559246620.048058, xmt_time=1559246620.048074, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024277, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.072776, rec_time=1559246553.094814, xmt_time=1559246621.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.033463, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246621.027421, rec_time=1559246621.073143, xmt_time=1559246621.073172, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.043833, rec_time=1559246556.073681, xmt_time=1559246622.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.078959, rec_time=1559246553.100708, xmt_time=1559246622.027446, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.085177, rec_time=1559246553.102587, xmt_time=1559246622.027464, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041367, rec_time=1559246554.069181, xmt_time=1559246622.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013733, root_disp=0.041672, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245709.302032, org_time=1559246622.027446, rec_time=1559246622.071899, xmt_time=1559246622.071924, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.038559, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246622.027478, rec_time=1559246622.068521, xmt_time=1559246622.06856, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246622.0, org_time=1559246622.027384, rec_time=1559246622.073734, xmt_time=1559246622.07374, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.03743, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246622.027464, rec_time=1559246622.086267, xmt_time=1559246622.086348, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.032041, rec_time=1559246556.054612, xmt_time=1559246623.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246555.051459, rec_time=1559246555.077253, xmt_time=1559246623.027521, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.011642, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246623.027478, rec_time=1559246623.041209, xmt_time=1559246623.04122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036835, root_disp=0.046951, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245789.870424, org_time=1559246623.027521, rec_time=1559246623.04836, xmt_time=1559246623.048416, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246557.07812, rec_time=1559246557.097844, xmt_time=1559246626.027432, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246558.043947, rec_time=1559246558.067904, xmt_time=1559246626.027514, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.025497, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246626.027514, rec_time=1559246626.044105, xmt_time=1559246626.044139, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246626.027432, rec_time=1559246626.058084, xmt_time=1559246626.058151, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024368, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246560.040576, rec_time=1559246560.064668, xmt_time=1559246627.027459, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011765, root_disp=0.001526, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245638.390748, org_time=1559246627.027459, rec_time=1559246627.050401, xmt_time=1559246627.050438, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
index d5ef690ea5..382f3f6ed7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
@@ -3,23 +3,39 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-04-15-48-36
+#open	2019-06-05-09-15-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1559246614.027454	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.024170	-	-	-	-	1559246556.073681	1559246548.048352	1559246548.076756	1559246614.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246614.074475	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.071350	-	-	-	-	1559245852.721794	1559246614.027421	1559246614.048376	1559246614.048407	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246617.027486	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.024216	-	-	-	-	1559246556.073681	1559246550.040662	1559246550.063198	1559246617.027452	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246617.063504	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.032959	-	-	-	-	1559245541.537424	1559246617.027452	1559246617.040799	1559246617.040813	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246619.027413	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.024246	-	-	-	-	1559246556.073681	1559246553.074199	1559246553.094855	1559246619.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246619.074513	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001266	-	-	-	-	1559246560.207644	1559246619.027384	1559246619.054018	1559246619.054053	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027437	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246551.034239	1559246551.058223	1559246620.027408	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027466	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246553.067084	1559246553.088704	1559246620.027461	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027480	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246554.041266	1559246554.063055	1559246620.027475	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246620.059693	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000275	-	-	-	-	1559246481.481997	1559246620.027461	1559246620.040139	1559246620.040206	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246620.065302	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013397	0.053787	-	-	-	-	1559244627.070973	1559246620.027408	1559246620.043959	1559246620.043985	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246620.065335	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.036545	-	-	-	-	1559245278.442390	1559246620.027475	1559246620.048058	1559246620.048074	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246621.027458	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.024277	-	-	-	-	1559246556.073681	1559246553.072776	1559246553.094814	1559246621.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246621.095645	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.033463	-	-	-	-	1559245577.265702	1559246621.027421	1559246621.073143	1559246621.073172	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027418	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246556.043833	1559246556.073681	1559246622.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027454	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246553.078959	1559246553.100708	1559246622.027446	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027471	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246553.085177	1559246553.102587	1559246622.027464	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027484	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246554.041367	1559246554.069181	1559246622.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246622.092519	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013733	0.041672	-	-	-	-	1559245709.302032	1559246622.027446	1559246622.071899	1559246622.071924	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246622.092556	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.038559	-	-	-	-	1559245178.020777	1559246622.027478	1559246622.068521	1559246622.068560	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246622.100109	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246622.000000	1559246622.027384	1559246622.073734	1559246622.073740	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246622.100152	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.037430	-	-	-	-	1559245356.576177	1559246622.027464	1559246622.086267	1559246622.086348	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.027502	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	-	-	1559246556.073681	1559246556.032041	1559246556.054612	1559246623.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.027531	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	-	-	1559246556.073681	1559246555.051459	1559246555.077253	1559246623.027521	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246623.062844	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.011642	-	-	-	-	1559246412.455332	1559246623.027478	1559246623.041209	1559246623.041220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246623.070217	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036835	0.046951	-	-	-	-	1559245789.870424	1559246623.027521	1559246623.048360	1559246623.048416	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.027461	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	-	-	1559246556.073681	1559246557.078120	1559246557.097844	1559246626.027432	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.027518	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	-	-	1559246556.073681	1559246558.043947	1559246558.067904	1559246626.027514	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246626.065984	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.025497	-	-	-	-	1559246283.180069	1559246626.027514	1559246626.044105	1559246626.044139	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246626.075079	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.037491	-	-	-	-	1559245356.576177	1559246626.027432	1559246626.058084	1559246626.058151	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246627.027502	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.024368	-	-	-	-	1559246556.073681	1559246560.040576	1559246560.064668	1559246627.027459	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246627.073485	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011765	0.001526	-	-	-	-	1559245638.390748	1559246627.027459	1559246627.050401	1559246627.050438	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-04-15-48-36
+#close	2019-06-05-09-15-37
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
index 4d29c17d7d..ac82db736a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
@@ -1,18 +1,35 @@
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028229, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246818.058351, rec_time=1559246818.079217, xmt_time=1559246885.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.075409, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246885.027449, rec_time=1559246885.069212, xmt_time=1559246885.069247, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028259, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246820.060608, rec_time=1559246820.081498, xmt_time=1559246887.027425, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.037018, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246887.027425, rec_time=1559246887.050758, xmt_time=1559246887.050774, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246819.064014, rec_time=1559246819.079147, xmt_time=1559246888.027454, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.050275, rec_time=1559246822.064562, xmt_time=1559246888.030021, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246888.030021, rec_time=1559246888.22033, xmt_time=1559246888.220401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001236, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246882.967102, org_time=1559246888.027454, rec_time=1559246888.234035, xmt_time=1559246888.234061, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02829, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05809, rec_time=1559246822.069097, xmt_time=1559246889.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.040573, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246889.027449, rec_time=1559246889.061203, xmt_time=1559246889.06122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.073855, rec_time=1559246824.095227, xmt_time=1559246890.027469, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246821.052836, rec_time=1559246821.069165, xmt_time=1559246890.027512, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246823.12395, rec_time=1559246823.295751, xmt_time=1559246890.027523, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013596, root_disp=0.025208, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246828.086879, org_time=1559246890.027523, rec_time=1559246890.060644, xmt_time=1559246890.060687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246890.027512, rec_time=1559246890.069012, xmt_time=1559246890.069048, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246890.0, org_time=1559246890.027469, rec_time=1559246890.070262, xmt_time=1559246890.070268, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05173, rec_time=1559246822.067161, xmt_time=1559246891.027395, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.052045, rec_time=1559246825.066358, xmt_time=1559246891.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.015671, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246891.027395, rec_time=1559246891.051818, xmt_time=1559246891.051827, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013657, root_disp=0.025818, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246788.670839, org_time=1559246891.029953, rec_time=1559246891.061992, xmt_time=1559246891.062023, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028336, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.061335, rec_time=1559246824.08282, xmt_time=1559246892.027401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.042603, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246892.027401, rec_time=1559246892.05139, xmt_time=1559246892.051436, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028366, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.064608, rec_time=1559246825.074985, xmt_time=1559246894.027491, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246894.027491, rec_time=1559246894.059304, xmt_time=1559246894.05938, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246829.060691, rec_time=1559246829.079018, xmt_time=1559246898.027403, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246830.0714, rec_time=1559246830.08971, xmt_time=1559246898.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011917, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246667.219303, org_time=1559246898.027403, rec_time=1559246898.077958, xmt_time=1559246898.078029, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036819, root_disp=0.050842, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246822.40751, org_time=1559246898.029953, rec_time=1559246898.078347, xmt_time=1559246898.07843, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246833.067975, rec_time=1559246833.07965, xmt_time=1559246900.027439, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246831.053954, rec_time=1559246831.069547, xmt_time=1559246900.030036, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.029602, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246900.030036, rec_time=1559246900.08881, xmt_time=1559246900.088844, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041595, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246900.027439, rec_time=1559246900.103765, xmt_time=1559246900.103887, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=3, std_msg=[stratum=0, poll=16.0, precision=0.015625, root_delay=1.0, root_disp=1.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1101309131.444112, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.000122, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=CTD\x00, ref_time=1559246910.937978, org_time=1101309131.444112, rec_time=1559246940.281161, xmt_time=1559246940.281191, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
index e49c170785..4c56431bf0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
@@ -3,25 +3,42 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-04-15-48-51
+#open	2019-06-05-09-15-43
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1559246885.027478	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.028229	-	-	-	-	1559246556.073681	1559246818.058351	1559246818.079217	1559246885.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246885.088815	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.075409	-	-	-	-	1559245852.721794	1559246885.027449	1559246885.069212	1559246885.069247	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246887.027467	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.028259	-	-	-	-	1559246556.073681	1559246820.060608	1559246820.081498	1559246887.027425	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246887.060766	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.037018	-	-	-	-	1559245541.537424	1559246887.027425	1559246887.050758	1559246887.050774	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.027489	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	-	-	1559246556.073681	1559246819.064014	1559246819.079147	1559246888.027454	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.030028	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	-	-	1559246556.073681	1559246822.050275	1559246822.064562	1559246888.030021	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246888.422200	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000565	-	-	-	-	1559246481.481997	1559246888.030021	1559246888.220330	1559246888.220401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246888.422229	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001236	-	-	-	-	1559246882.967102	1559246888.027454	1559246888.234035	1559246888.234061	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246889.027482	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.028290	-	-	-	-	1559246556.073681	1559246822.058090	1559246822.069097	1559246889.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246889.075261	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.040573	-	-	-	-	1559245278.442390	1559246889.027449	1559246889.061203	1559246889.061220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027493	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246824.073855	1559246824.095227	1559246890.027469	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027517	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246821.052836	1559246821.069165	1559246890.027512	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027528	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246823.123950	1559246823.295751	1559246890.027523	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246890.076319	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013596	0.025208	-	-	-	-	1559246828.086879	1559246890.027523	1559246890.060644	1559246890.060687	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246890.082370	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.037491	-	-	-	-	1559245577.265702	1559246890.027512	1559246890.069012	1559246890.069048	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246890.094824	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246890.000000	1559246890.027469	1559246890.070262	1559246890.070268	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.027431	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	-	-	1559246556.073681	1559246822.051730	1559246822.067161	1559246891.027395	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.029967	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	-	-	1559246556.073681	1559246825.052045	1559246825.066358	1559246891.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246891.068733	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.015671	-	-	-	-	1559246412.455332	1559246891.027395	1559246891.051818	1559246891.051827	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246891.075965	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013657	0.025818	-	-	-	-	1559246788.670839	1559246891.029953	1559246891.061992	1559246891.062023	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246892.027415	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.028336	-	-	-	-	1559246556.073681	1559246824.061335	1559246824.082820	1559246892.027401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246892.077560	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.042603	-	-	-	-	1559245178.020777	1559246892.027401	1559246892.051390	1559246892.051436	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246894.027523	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.028366	-	-	-	-	1559246556.073681	1559246825.064608	1559246825.074985	1559246894.027491	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246894.070325	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.041504	-	-	-	-	1559245356.576177	1559246894.027491	1559246894.059304	1559246894.059380	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.027422	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.028427	-	-	-	-	1559246556.073681	1559246829.060691	1559246829.079018	1559246898.027403	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.029960	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.028427	-	-	-	-	1559246556.073681	1559246830.071400	1559246830.089710	1559246898.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246898.094782	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011917	0.000565	-	-	-	-	1559246667.219303	1559246898.027403	1559246898.077958	1559246898.078029	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246898.094827	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036819	0.050842	-	-	-	-	1559246822.407510	1559246898.029953	1559246898.078347	1559246898.078430	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.027467	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	-	-	1559246556.073681	1559246833.067975	1559246833.079650	1559246900.027439	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.030051	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	-	-	1559246556.073681	1559246831.053954	1559246831.069547	1559246900.030036	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246900.102991	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.029602	-	-	-	-	1559246283.180069	1559246900.030036	1559246900.088810	1559246900.088844	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246900.111834	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.041595	-	-	-	-	1559245356.576177	1559246900.027439	1559246900.103765	1559246900.103887	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246940.262220	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	3	0	16.000000	0.015625	1.000000	1.000000	-	-	-	-	0.000000	0.000000	0.000000	1101309131.444112	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1559246940.304152	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	4	1	16.000000	0.000000	0.000000	0.000122	-	-	-	-	1559246910.937978	1101309131.444112	1559246940.281161	1559246940.281191	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-04-15-48-51
+1559246940.486493	CykQaM33ztNt0csB9a	192.168.43.118	43046	193.204.114.232	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	42	F	-	3	0
+#close	2019-06-05-09-15-44
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
index c0f8be47a8..5075ab04ed 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-04-15-48-57
+#open	2019-06-05-09-15-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
 1096255084.954975	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
@@ -36,4 +36,4 @@
 1096255085.522297	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	2	2	1024.000000	0.000015	0.081268	0.029877	-	-	-	-	1096254706.140290	1096255084.922896	1096255083.850451	1096255083.850465	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1096255085.562197	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	2	2	1024.000000	0.000004	0.029846	0.045456	-	-	-	-	1096254209.896379	1096255084.922896	1096255083.849099	1096255083.849269	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
 1096255085.599961	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	2	1	1024.000000	0.000015	0.000000	0.000504	-	-	-	-	1096255068.944018	1096255084.922896	1096255083.827772	1096255083.828313	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-04-15-48-57
+#close	2019-06-05-09-15-50
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
new file mode 100644
index 0000000000..be9c6ad425
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
@@ -0,0 +1,9 @@
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
new file mode 100644
index 0000000000..fdfd021186
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
@@ -0,0 +1,18 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open	2019-06-05-09-15-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
+1558603188.282844	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-
+1558603188.283617	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-
+1558603188.286063	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-
+1558603201.135003	ClEkJM2Vm5giqnMf4h	127.0.0.1	57531	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	1	F	-	3	0
+1558603206.793297	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46918	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	42	F	-	3	0
+1558603213.886044	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-
+1558603213.886779	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-
+1558603213.889030	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-
+1558603219.996399	CUM0KZ3MLUfNB0cl11	127.0.0.1	55675	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	1	F	-	3	0
+#close	2019-06-05-09-15-16
diff --git a/testing/btest/scripts/base/protocols/ntp/ntp.test b/testing/btest/scripts/base/protocols/ntp/ntp.test
index 9ad4daa8af..022a708962 100644
--- a/testing/btest/scripts/base/protocols/ntp/ntp.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/ntp/ntp.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntp.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout
 
diff --git a/testing/btest/scripts/base/protocols/ntp/ntp2.test b/testing/btest/scripts/base/protocols/ntp/ntp2.test
index b59363e90e..89c93f68e2 100644
--- a/testing/btest/scripts/base/protocols/ntp/ntp2.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp2.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/ntp/ntp2.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntp2.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout
 
diff --git a/testing/btest/scripts/base/protocols/ntp/ntp3.test b/testing/btest/scripts/base/protocols/ntp/ntp3.test
index 01feb9ed3b..a72596b5e4 100644
--- a/testing/btest/scripts/base/protocols/ntp/ntp3.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntp3.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/ntp/NTP_sync.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/ntp/NTP_sync.pcap %INPUT
 # @TEST-EXEC: btest-diff ntp.log
 # @TEST-EXEC: btest-diff .stdout
 
diff --git a/testing/btest/scripts/base/protocols/ntp/ntpmode67.test b/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
index b2100ae840..7407795a48 100644
--- a/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
+++ b/testing/btest/scripts/base/protocols/ntp/ntpmode67.test
@@ -1,4 +1,6 @@
-# @TEST-EXEC: bro -r $TRACES/ntp/ntpmode67.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/ntp/ntpmode67.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff ntp.log
 
 @load base/protocols/ntp
 

From 2dc7695d875b324f41c67026a883dc3ae3771a87 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Wed, 5 Jun 2019 15:26:45 +0200
Subject: [PATCH 22/91] fix wrong Assign with reference_id

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 8a94db1d18..2cb3c664b6 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -46,18 +46,18 @@ refine flow NTP_Flow += {
               	switch ( ${nsm.stratum} )
               	{
                  case 0:
-                   	// unknown stratum => kiss code
-                    	rv->Assign(7, bytestring_to_val(${nsm.reference_id}));
-                    	break;
+                    // unknown stratum => kiss code
+                    rv->Assign(5, bytestring_to_val(${nsm.reference_id}));
+                    break;
                  case 1:
                     // reference clock => ref clock string
-                    rv->Assign(8, bytestring_to_val(${nsm.reference_id}));
+                    rv->Assign(6, bytestring_to_val(${nsm.reference_id}));
                     break;
                  default:
-                   // TODO: Check for v4/v6
-                   const uint8* d = ${nsm.reference_id}.data();
-                   rv->Assign(9, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
-                   break;
+                    // TODO: Check for v4/v6
+                    const uint8* d = ${nsm.reference_id}.data();
+                    rv->Assign(7, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+                    break;
               	}
 
                 rv->Assign(9, proc_ntp_timestamp(${nsm.reference_ts}));

From df0a4b9bb7d4366d63201b290f0a9e971620c557 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Wed, 5 Jun 2019 18:15:18 +0200
Subject: [PATCH 23/91] fix key_id and digest (WIP)

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 5 +++++
 src/analyzer/protocol/ntp/ntp-protocol.pac | 8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 2cb3c664b6..8ab14bb0bf 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -65,6 +65,11 @@ refine flow NTP_Flow += {
                 rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
                 rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
+		if (${nsm.mac.key_id}) {
+		    //rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
+		    //rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
+			cout<<"booo"<<endl;
+		}
                 rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
 
         	return rv;
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 4a1e8af22b..721780c261 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -57,13 +57,17 @@ type NTP_control_msg = record {
         association_id	: uint16;
         offs		: uint16;
         c	   	: uint16;
-        data		: bytestring &restofdata;
-	#auth		: #TODO
+	data		: bytestring &length=c;
+        have_mac       : case (offsetof(have_mac) < length) of {
+                                true  -> mac : NTP_MAC;
+                                false -> nil : empty;
+                         } &requires(length);
 } &let {
         R:	bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
         E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
         M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
         OpCode:	uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+        length          = sourcedata.length();
 } &byteorder=bigendian &exportsourcedata;
 
 

From ed113918e7960a14a0d062dbb7f879cedb86da88 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 5 Jun 2019 11:11:49 -0700
Subject: [PATCH 24/91] GH-209: replace "remote_ip" field of radius.log with
 "tunnel_client"

The type of the field also changed from "addr" to "string" because the
former cannot represent all possible values of the
Tunnel-Client-Endpoint attribute, which may include FQDNs, not just IP
addresses.
---
 NEWS                                                  |  5 +++++
 scripts/base/protocols/radius/main.zeek               | 11 ++++++-----
 .../scripts.base.protocols.radius.auth/radius.log     |  8 ++++----
 .../radius.log                                        |  8 ++++----
 4 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/NEWS b/NEWS
index 4de34ba8e8..e549da2b60 100644
--- a/NEWS
+++ b/NEWS
@@ -216,6 +216,11 @@ Changed Functionality
   in scripts has also been updated to replace Sphinx cross-referencing roles
   and directives like ":bro:see:" with ":zeek:zee:".
 
+- The "remote_ip" field of "addr" type was removed from radius.log and
+  replaced with a field named "tunnel_client" of "string" type.  The
+  reason for this is that the Tunnel-Client-Endpoint RADIUS attribute
+  this data is derived from may also be a FQDN, not just an IP address.
+
 Removed Functionality
 ---------------------
 
diff --git a/scripts/base/protocols/radius/main.zeek b/scripts/base/protocols/radius/main.zeek
index 6cd69227c8..bffe996402 100644
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@@ -24,9 +24,10 @@ export {
 		## and the network access server is not required to honor 
 		## the address.
 		framed_addr  : addr     &log &optional;
-		## Remote IP address, if present.  This is collected
-		## from the Tunnel-Client-Endpoint attribute.
-		remote_ip    : addr     &log &optional;
+		## Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
+		## if present.  This is collected from the Tunnel-Client-Endpoint
+		## attribute.
+		tunnel_client: string   &log &optional;
 		## Connect info, if present.
 		connect_info : string   &log &optional;
 		## Reply message from the server challenge. This is 
@@ -85,8 +86,8 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=5
 					c$radius$mac = normalize_mac(result$attributes[31][0]);
 
 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! c$radius?$remote_ip && 66 in result$attributes )
-					c$radius$remote_ip = to_addr(result$attributes[66][0]);
+				if ( ! c$radius?$tunnel_client && 66 in result$attributes )
+					c$radius$tunnel_client = result$attributes[66][0];
 
 				# Connect-Info
 				if ( ! c$radius?$connect_info && 77 in result$attributes )
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
index bd536ecca2..a681496944 100644
--- a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	radius
-#open	2017-02-20-04-53-55
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
-#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+#open	2019-06-05-18-03-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	tunnel_client	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	string	string	string	string	interval
 1217631137.872968	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	255.255.255.254	-	-	Hello, %u	success	0.043882
-#close	2017-02-20-04-53-55
+#close	2019-06-05-18-03-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
index 8dac83de65..510c7ef503 100644
--- a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	radius
-#open	2017-02-20-04-56-31
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
-#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+#open	2019-06-05-18-04-34
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	tunnel_client	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	string	string	string	string	interval
 1440447766.440305	CHhAvVGS1DHFjwGM9	127.0.0.1	53031	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	failed	1.005906
 1440447839.947454	ClEkJM2Vm5giqnMf4h	127.0.0.1	65443	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	success	0.000779
 1440447848.196115	C4J4Th3PJpwUYZZ6gc	127.0.0.1	57717	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000275
@@ -13,4 +13,4 @@
 1440447880.931272	CUM0KZ3MLUfNB0cl11	127.0.0.1	52178	127.0.0.1	1812	steve	-	-	-	-	-	failed	1.001459
 1440447904.122012	CmES5u32sYpV7JYN	127.0.0.1	62956	127.0.0.1	1812	steve	-	-	-	-	-	unknown	-
 1440448190.335333	CP5puj4I8PtEU4qzYg	127.0.0.1	53127	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000517
-#close	2017-02-20-04-56-31
+#close	2019-06-05-18-04-34

From c8253e04999d228d6d17d8e44b1a452e50fbca0f Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Thu, 6 Jun 2019 11:50:12 +0200
Subject: [PATCH 25/91] remove old NTP record in init-bare.zeek

---
 scripts/base/init-bare.zeek | 49 -------------------------------------
 1 file changed, 49 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 42e0eea538..0c677d3b37 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -2526,55 +2526,6 @@ export {
 	};
 }
 
-module NTP;
-
-export {
-	## NTP message as defined in :rfc:`5905`.
-	## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
-	type NTP::Message: record {
-		## The NTP version number
-		version:            count;
-		## The NTP mode being used
-		mode:               count;
-		## The stratum (primary server, secondary server, etc.)
-		stratum:            count;
-		## The maximum interval between successive messages
-		poll:               interval;
-		## The precision of the system clock
-		precision:          interval;
-
-		## Total round-trip delay to the reference clock
-		root_delay:         interval;
-		## Total dispersion to the reference clock
-		root_disp:          interval;
-		## For stratum 0, 4 character string used for debugging
-		kiss_code:          string &optional;
-		## For stratum 1, ID assigned to the reference clock by IANA
-		ref_id:             string &optional;
-		## Above stratum 1, when using IPv4, the IP address of the reference clock
-		ref_addr:           addr &optional;
-
-		## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
-		## IPv6 address of the reference clock
-		ref_v6_hash_prefix: string &optional;
-		## Time when the system clock was last set or correct
-		ref_time:           time;
-		## Time at the client when the request departed for the NTP server
-		org_time:           time;
-		## Time at the server when the request arrived from the NTP client
-		rec_time:           time;
-		## Time at the server when the response departed for the NTP client
-		xmt_time:           time;
-		## Key used to designate a secret MD5 key
-		key_id:             count &optional;
-		## MD5 hash computed over the key followed by the NTP packet header and extension fields
-		digest:             string &optional;
-		## Number of extension fields (which are not currently parsed)
-		num_exts:           count &default=0;
-	};
-}
-
-
 module NTLM;
 
 export {

From b6746bc9e04d16d32441a96944d3088f299d8e8d Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 6 Jun 2019 09:49:24 -0400
Subject: [PATCH 26/91] Adding client_security_data to the analyzer.

---
 src/analyzer/protocol/rdp/events.bif       |  7 +++++++
 src/analyzer/protocol/rdp/rdp-analyzer.pac | 18 ++++++++++++++++++
 src/analyzer/protocol/rdp/rdp-protocol.pac |  7 ++++++-
 src/analyzer/protocol/rdp/types.bif        |  5 ++++-
 4 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif
index 463e3b8d07..efb360cd6f 100644
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@@ -26,6 +26,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
 ## data: The data contained in the client core data structure.
 event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
 
+## Generated for client security data packets.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## data: The data contained in the client security data structure.
+event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
+
 ## Generated for Client Network Data (TS_UD_CS_NET) packets
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index cf673e81b2..49398ec0a8 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -101,6 +101,20 @@ refine flow RDP_Flow += {
 		return true;
 		%}
 
+	function proc_rdp_client_security_data(csec: Client_Security_Data): bool
+		%{
+		if ( ! rdp_client_security_data )
+                        return false;
+	 
+			RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
+			csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
+			csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
+    
+			BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
+								    connection()->bro_analyzer()->Conn(),
+								    csd);
+		%}
+
 	function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
 		%{
 		if ( ! rdp_client_network_data )
@@ -203,6 +217,10 @@ refine typeattr Client_Core_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_core_data(this);
 };
 
+refine typeattr Client_Security_Data += &let {
+        proc: bool = $context.flow.proc_rdp_client_security_data(this);
+};
+
 refine typeattr Client_Network_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_network_data(this);
 };
diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac
index 46202f379e..930403d68b 100644
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@@ -52,7 +52,7 @@ type Data_Block = record {
 	header: Data_Header;
 	block: case header.type of {
 		0xc001  -> client_core:       Client_Core_Data;
-		#0xc002  -> client_security:   Client_Security_Data;
+		0xc002  -> client_security:   Client_Security_Data;
 		0xc003  -> client_network:    Client_Network_Data;
 		#0xc004  -> client_cluster:    Client_Cluster_Data;
 		#0xc005  -> client_monitor:    Client_Monitor_Data;
@@ -220,6 +220,11 @@ type Client_Core_Data = record {
 	SUPPORT_HEARTBEAT_PDU:      bool = early_capability_flags & 0x0400;
 } &byteorder=littleendian;
 
+type Client_Security_Data = record {
+	encryption_methods:	uint16;
+	ext_encryption_methods:	uint16;
+} &byteorder=littleendian;
+
 type Client_Network_Data = record {
 	channel_count: uint32;
 	channel_def_array: Client_Channel_Def[channel_count];
diff --git a/src/analyzer/protocol/rdp/types.bif b/src/analyzer/protocol/rdp/types.bif
index d5a7f930a9..ff64d75744 100644
--- a/src/analyzer/protocol/rdp/types.bif
+++ b/src/analyzer/protocol/rdp/types.bif
@@ -4,5 +4,8 @@ module RDP;
 type EarlyCapabilityFlags: record;
 type ClientCoreData: record;
 
+# JSA
+type ClientSecurityData: record;
+
 type ClientChannelList: vector;
-type ClientChannelDef: record;
\ No newline at end of file
+type ClientChannelDef: record;

From 17512bb8db697b3b4ee441b913b77bf4feb20c97 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 6 Jun 2019 10:06:58 -0400
Subject: [PATCH 27/91] Adding record to init-bare

---
 scripts/base/init-bare.zeek                | 5 +++++
 src/analyzer/protocol/rdp/rdp-protocol.pac | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index adbd25052e..144c02737f 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4276,6 +4276,11 @@ export {
 		dig_product_id:         string &optional;
 	};
 
+	type RDP::ClientSecurityData: record {
+		encryption_methods:	count;
+		ext_encryption_methods:	count;
+	};
+
 	## Name and flags for a single channel requested by the client.
 	type RDP::ClientChannelDef: record {
 		## A unique name for the channel
diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac
index 930403d68b..442a0d1292 100644
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@@ -221,8 +221,8 @@ type Client_Core_Data = record {
 } &byteorder=littleendian;
 
 type Client_Security_Data = record {
-	encryption_methods:	uint16;
-	ext_encryption_methods:	uint16;
+	encryption_methods:	uint32;
+	ext_encryption_methods:	uint32;
 } &byteorder=littleendian;
 
 type Client_Network_Data = record {

From 2cd2c65fe37669218b1131d253574afcfe79c7a6 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Thu, 6 Jun 2019 16:38:05 +0200
Subject: [PATCH 28/91] fix auth field (key_id and mac) in standard and control
 msg

---
 scripts/base/init-bare.zeek                | 63 +++-------------------
 scripts/base/protocols/ntp/main.zeek       | 24 ++++++---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 10 ++--
 src/analyzer/protocol/ntp/ntp-protocol.pac | 32 ++++++-----
 4 files changed, 51 insertions(+), 78 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 42e0eea538..884fa1f738 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -2526,54 +2526,6 @@ export {
 	};
 }
 
-module NTP;
-
-export {
-	## NTP message as defined in :rfc:`5905`.
-	## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
-	type NTP::Message: record {
-		## The NTP version number
-		version:            count;
-		## The NTP mode being used
-		mode:               count;
-		## The stratum (primary server, secondary server, etc.)
-		stratum:            count;
-		## The maximum interval between successive messages
-		poll:               interval;
-		## The precision of the system clock
-		precision:          interval;
-
-		## Total round-trip delay to the reference clock
-		root_delay:         interval;
-		## Total dispersion to the reference clock
-		root_disp:          interval;
-		## For stratum 0, 4 character string used for debugging
-		kiss_code:          string &optional;
-		## For stratum 1, ID assigned to the reference clock by IANA
-		ref_id:             string &optional;
-		## Above stratum 1, when using IPv4, the IP address of the reference clock
-		ref_addr:           addr &optional;
-
-		## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
-		## IPv6 address of the reference clock
-		ref_v6_hash_prefix: string &optional;
-		## Time when the system clock was last set or correct
-		ref_time:           time;
-		## Time at the client when the request departed for the NTP server
-		org_time:           time;
-		## Time at the server when the request arrived from the NTP client
-		rec_time:           time;
-		## Time at the server when the response departed for the NTP client
-		xmt_time:           time;
-		## Key used to designate a secret MD5 key
-		key_id:             count &optional;
-		## MD5 hash computed over the key followed by the NTP packet header and extension fields
-		digest:             string &optional;
-		## Number of extension fields (which are not currently parsed)
-		num_exts:           count &default=0;
-	};
-}
-
 
 module NTLM;
 
@@ -5045,15 +4997,16 @@ export {
 	## The sequence number of the command or response
         sequence        : count;
 	## The current status of the system, peer or clock
-        status          : count;    #TODO: this must be further specified
+        status          : count;    #TODO: this can be further parsed internally
 	## A 16-bit integer identifying a valid association
         association_id  : count;
-	## A 16-bit integer indicating the offset, in octets, of the first octet in the data area
-        offs            : count;
-	## A 16-bit integer indicating the length of the data field, in octets
-        c		: count;
 	## The message data for the command or response + Authenticator (optional)
-        data            : string &optional;   # TODO: distinguish data and authenticator
+        data            : string &optional;
+        ## This is an integer identifying the cryptographic
+	## key used to generate the message-authentication code
+        key_id		: count &optional;
+	## This is a crypto-checksum computed by the encryption procedure
+        crypto_checksum	: string &optional;
 	};
 
         ## NTP mode7 message for mode=7. Note that this is not defined in any RFC
@@ -5095,7 +5048,7 @@ export {
 	##               7 - authentication failure (i.e. permission denied)
         err  		: count;
         ## Rest of data
-        data            : string &optional;   # TODO: can be further parsed
+        data            : string &optional;   
         };
 
         ## NTP message as defined in :rfc:`5905`.
diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
index de65863c39..40b2b9caf0 100644
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -76,6 +76,12 @@ export {
 	        status          : count &log;    
         	## A 16-bit integer identifying a valid association
 	        association_id  : count &log;
+	        ## This is an integer identifying the cryptographic
+	        ## key used to generate the message-authentication code
+        	ctrl_key_id          : count &optional &log;
+        	## This is a crypto-checksum computed by the encryption procedure
+        	crypto_checksum : string &optional &log;
+	
 
 		## An implementation-specific code which specifies the
 		## operation to be (which has been) performed and/or the
@@ -133,13 +139,13 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 		info$root_delay =  msg$std_msg$root_delay;
 		info$root_disp =  msg$std_msg$root_disp;
 
-		if ( info?$kiss_code) 
+		if ( msg$std_msg?$kiss_code) 
 			info$kiss_code =  msg$std_msg$kiss_code;
-                if ( info?$ref_id)
+                if ( msg$std_msg?$ref_id)
                         info$ref_id =  msg$std_msg$ref_id;
-                if ( info?$ref_addr)
+                if ( msg$std_msg?$ref_addr)
                         info$ref_addr =  msg$std_msg$ref_addr;
-                if ( info?$ref_v6_hash_prefix)
+                if ( msg$std_msg?$ref_v6_hash_prefix)
                         info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
 
                 info$ref_time =  msg$std_msg$ref_time;
@@ -147,9 +153,9 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
                 info$rec_time =  msg$std_msg$rec_time;
                 info$xmt_time =  msg$std_msg$xmt_time;
 
-                if ( info?$key_id)
+                if ( msg$std_msg?$key_id)
                         info$key_id =  msg$std_msg$key_id;
-                if ( info?$digest)
+                if ( msg$std_msg?$digest)
                         info$digest =  msg$std_msg$digest;
 
 		info$num_exts =  msg$std_msg$num_exts;
@@ -163,6 +169,12 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
              info$sequence = msg$control_msg$sequence;
              info$status = msg$control_msg$status;
              info$association_id = msg$control_msg$association_id;
+
+                if ( msg$control_msg?$key_id)
+                        info$ctrl_key_id =  msg$control_msg$key_id;
+                if ( msg$control_msg?$crypto_checksum)
+                        info$crypto_checksum =  msg$control_msg$crypto_checksum;
+
 	  }
 
           if ( msg$mode==7 ) {
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 8ab14bb0bf..af42ddf9d1 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -65,12 +65,12 @@ refine flow NTP_Flow += {
                 rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
                 rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
-		if (${nsm.mac.key_id}) {
-		    //rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
-		    //rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
-			cout<<"booo"<<endl;
+		if (${nsm.has_mac}) {
+		    rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
+		    rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
 		}
-                rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
+		// TODO: add extension fields
+                //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
 
         	return rv;
         %}
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 721780c261..fd3a43f9c9 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -39,13 +39,14 @@ type NTP_std_msg = record {
         origin_ts      : NTP_Time;
         receive_ts     : NTP_Time;
         transmit_ts    : NTP_Time;
-        extensions     : Extension_Field[] &until($input.length() <= 18);
-        have_mac       : case (offsetof(have_mac) < length) of {
+        #extensions     : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed 
+        mac_fields     : case (has_mac) of {
                                 true  -> mac : NTP_MAC;
                                 false -> nil : empty;
-                         } &requires(length);
+                         } &requires(has_mac);
 } &let {
         length          = sourcedata.length();
+	has_mac: bool	= (length - offsetof(mac_fields)) == 20;
 } &byteorder=bigendian &exportsourcedata;
 
 # This format is for mode==6, control msg
@@ -53,33 +54,40 @@ type NTP_std_msg = record {
 type NTP_control_msg = record {
         second_byte	: uint8;
         sequence	: uint16;
-        status      	: uint16;    #TODO: this must be further specified
+        status      	: uint16;    #TODO: this can be further parsed internally
         association_id	: uint16;
         offs		: uint16;
         c	   	: uint16;
 	data		: bytestring &length=c;
-        have_mac       : case (offsetof(have_mac) < length) of {
-                                true  -> mac : NTP_MAC;
+        mac_fields     : case (has_control_mac) of {
+                                true  -> mac : NTP_CONTROL_MAC;
                                 false -> nil : empty;
-                         } &requires(length);
+                         } &requires(has_control_mac);
 } &let {
         R:	bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
         E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
         M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
-        OpCode:	uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+        OpCode:	uint8  = (second_byte & 0x1F);		# Last 5 bits of 8-bits value
         length          = sourcedata.length();
+        has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;
 
-
+# As in RFC 5905
 type NTP_MAC = record {
 	key_id: uint32;
 	digest: bytestring &length=16;
-} &length=18;
+} &length=20;
+
+# As in RFC 1119
+type NTP_CONTROL_MAC = record {
+        key_id: uint32;
+     	crypto_checksum: bytestring &length=8;
+} &length=12;
 
 type Extension_Field = record {
   field_type: uint16;
-  length    : uint16;
-  data      : bytestring &length=length-4;
+  ext_len   : uint16;
+  data      : bytestring &length=ext_len-4;
 };
 
 type NTP_Short_Time = record {

From 38ad64808258f84c4128ef70d6623f8a3595704b Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Thu, 6 Jun 2019 16:45:09 +0200
Subject: [PATCH 29/91] update tests and add a new one for key_id and mac

---
 .../.stdout                                   |  40 +++++++++
 .../ntp.log                                   |  49 +++++++++++
 .../scripts.base.protocols.ntp.ntp/.stdout    |  64 +++++++-------
 .../scripts.base.protocols.ntp.ntp/ntp.log    |  72 ++++++++--------
 .../scripts.base.protocols.ntp.ntp2/.stdout   |  68 +++++++--------
 .../scripts.base.protocols.ntp.ntp2/ntp.log   |  78 +++++++++---------
 .../scripts.base.protocols.ntp.ntp3/.stdout   |  60 +++++++-------
 .../scripts.base.protocols.ntp.ntp3/ntp.log   |  68 +++++++--------
 .../.stdout                                   |  12 +--
 .../ntp.log                                   |  26 +++---
 testing/btest/Traces/ntp/NTP-digest.pcap      | Bin 0 -> 5864 bytes
 .../base/protocols/ntp/ntp-digest.test        |  11 +++
 12 files changed, 324 insertions(+), 224 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
 create mode 100644 testing/btest/Traces/ntp/NTP-digest.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ntp/ntp-digest.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/.stdout
new file mode 100644
index 0000000000..c92443bb33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/.stdout
@@ -0,0 +1,40 @@
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.02623, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495804929.482904, key_id=1, digest=\xac\x01{i\x91\\xe5\xa7\xa9\xfbs\xac\x8b\xd1`;, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.0271, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495804987.483591, key_id=1, digest=3\x03\x03\xf0\xaa\x15`\xf5i\xd8=\xfa\x10S\x80\xd4, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.027374, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805006.483955, key_id=1, digest=\xbb\xdc\x86&\xa6\xfd\x0d\xd5q.4I\x04\xad\xeb\xe1, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.027939, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805043.484331, key_id=1, digest=\x97\x99\x90\x18t\xf8-k\xcdo0\x9945\xe1\xbf, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.028503, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805081.484917, key_id=1, digest=}\xb9\x12\xfe\x8fT\xd2\x0fA\x8c\x86\x90\x9b\xf9\xd1p, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.02887, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805105.48515, key_id=1, digest=\x8e\xb7\xe1\x0e\x86T\xdcsB\x05j\xe0|\xc9i\xa6, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.029678, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805159.485867, key_id=1, digest=.\x16\x11\x9e\xd1\xadJ\x16x}\x03f\x91\x11\x85_, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.030334, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805203.486536, key_id=1, digest=\x1bu\x87"U\xa3\xbb*\xe7-\xecu`\x88\xb8z, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.030396, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805207.486593, key_id=1, digest=\x10\x8eb\x92\x85\xc1\xd0#\x09\x93\x97\xff\x0a$&/, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.031128, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805256.487243, key_id=1, digest=\xcc\x1f~\xa1\xdf\xe0.\x9f_,\xa65\x1a[\x01s, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.031479, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805279.487564, key_id=1, digest=}\xfd\xbf\x81\xae\x16\x07\x1b\x987kd\x9255\xf9, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.032242, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805330.48824, key_id=1, digest=\x90\xfc\x8c\x02\xa6w\x1f\xf2\x0aU\xfb\x04\x10\xe9\xe3\xfb, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.032639, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805357.488596, key_id=1, digest=\x96@\x0b\x95\x99W\xd7\xa8\xf6\x06\xf9\xa0B,\x1d\xd8, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.03302, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805382.488826, key_id=1, digest=\xd3\xd7\xd1Vn\xb7\x0e\xceg\xb9C\x0b\xc2\xac\xcc\xab, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.03392, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805442.489609, key_id=1, digest=\x93E\xaa\xdaj\xfc3d\x0c\xd1\xad\xb3\x83ce\xc9, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.034058, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805451.489738, key_id=1, digest={\xaa\x86\xeb\x99\xb8H\xe4\x8b\x93\x7f\xfe\x84)%\xa4, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.034088, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805453.489803, key_id=1, digest=1D0\x0f\x08\x16\x9fjs\xd4\xef}5\xa1\xf6\x9a, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.03421, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805461.489877, key_id=1, digest=nU~J\x8d\xe9m\xf3\.\xf1g\xb5loj, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.034454, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805478.490201, key_id=1, digest=\xa4\xf8A\x08\xbf\xda}F%\xf2Fl\x19\xff\xdd\xab, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.034851, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805504.490512, key_id=1, digest=\xb0\xeec=\xb3\x17\xa2\xc5\xab\xe5\x04\x82\xe3\xfcE\xa1, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.035263, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805532.49081, key_id=1, digest=\x0b\xa2\x86M\x0d\xdc%\xbc\xcbi\xe9\x81\xd6\x0d$\x80, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.035339, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805537.490953, key_id=1, digest=\x01\xc1~\xeeJ'\x92g\x0cYI0\x0c\xd7\x91\xb1, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.035858, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805571.491412, key_id=1, digest=i\x90_\x89B\xf0\xe8Nq.\xe2t\xf1_jn, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.036804, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805634.492157, key_id=1, digest=\x07p\xf5&\xff\x1b6\x04\xb3\x83/\xb9\xff\xcb\xf2\xc6, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.036942, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805644.492282, key_id=1, digest=M\x05\xa9\x90'a\xbajGdb\xe03ZA\xf9, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.037735, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805696.492977, key_id=1, digest=\x17B\xcf\xb1y\x88\xdfA\xfe\xc2\x03u"J\xe9\xb0, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.038666, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805758.493804, key_id=1, digest=\x99\xe3\xa8\x0c\xca@\xc1\x0c\x1c\xc9\xec=\x07\xc0d\xc7, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.038925, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805776.494147, key_id=1, digest=T\x1bE\x16,{\x1b\x08\xc9\x05G\xce\xb9\xe2,\x9d, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.03952, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805815.494543, key_id=1, digest=\xb7\xa6\xc2'u\xdc\xcc\x86(\xe0^{\xdd\x8e\xde,, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.040253, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805864.495286, key_id=1, digest=\xfcU\x94Z\xca\x04x\xe0\x93z\xa2K\x89\xc0 \xb7, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.040268, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805865.495321, key_id=1, digest=\xf9& \x1a\xb2}O\xe5\xba\xd9\xfe\x0f\xf4J\x93P, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.041031, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805916.495973, key_id=1, digest=\x8f\x8c\xb7\xcd\xd4{\x8f\x0b\x92\xee~\xa6\x17\x0e\xa1\x0f, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.041748, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805964.496596, key_id=1, digest=L\xe68\xb6\x1d\x1d\x8cq\x0b\xb7\xf0N\xee\x9b\xb2j, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.042175, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495805992.496969, key_id=1, digest=D\xa4>MCS\x90h\x0f=[4u\xd0\x1f\x9f, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.042816, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806035.497545, key_id=1, digest=U\xcb]\xd3"NV\xb9[W\xa5!\xddl\x1f4, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.043106, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806055.497725, key_id=1, digest=Y\xdc\xc7]#\xb3\x9bV\xf7\x1b\xb3[\x8e\x836!, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.04332, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806069.497937, key_id=1, digest=\xd1-O\xc7-\xac\x10\x19\xa9h\xe4\x81;\xb4\x01e, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.043488, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806080.498132, key_id=1, digest=\xe0\xa3^\x9ck*qa\x85\x1aVA|bJA, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.043793, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806100.498395, key_id=1, digest=;\x03\xae\x8a\xf1}ABj\x87\xa0\xf4\xa8C\xd7\x9f, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 2003:51:6012:121::2 -> 2003:51:6012:110::dcf7:123:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.002213, root_disp=0.044235, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=182.165.128.219, ref_v6_hash_prefix=<uninitialized>, ref_time=1495804247.476651, org_time=0.0, rec_time=0.0, xmt_time=1495806130.498813, key_id=1, digest=\x1e\xa7\xc3\xd2\xe3\x0e\x08!\x8f\xe3Z$&B\x96\x13, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
new file mode 100644
index 0000000000..7b687745d5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
@@ -0,0 +1,49 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ntp
+#open	2019-06-06-14-43-28
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
+1495804929.483801	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.026230	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495804929.482904	1	\xac\x01{i\x91\\\xe5\xa7\xa9\xfbs\xac\x8b\xd1`;	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495804987.484143	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.027100	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495804987.483591	1	3\x03\x03\xf0\xaa\x15`\xf5i\xd8=\xfa\x10S\x80\xd4	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805006.484270	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.027374	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805006.483955	1	\xbb\xdc\x86&\xa6\xfd\x0d\xd5q.4I\x04\xad\xeb\xe1	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805043.485165	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.027939	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805043.484331	1	\x97\x99\x90\x18t\xf8-k\xcdo0\x9945\xe1\xbf	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805081.485865	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.028503	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805081.484917	1	}\xb9\x12\xfe\x8fT\xd2\x0fA\x8c\x86\x90\x9b\xf9\xd1p	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805105.485765	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.028870	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805105.485150	1	\x8e\xb7\xe1\x0e\x86T\xdcsB\x05j\xe0|\xc9i\xa6	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805159.486908	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.029678	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805159.485867	1	.\x16\x11\x9e\xd1\xadJ\x16x}\x03f\x91\x11\x85_	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805203.487540	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.030334	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805203.486536	1	\x1bu\x87"U\xa3\xbb*\xe7-\xecu`\x88\xb8z	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805207.487345	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.030396	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805207.486593	1	\x10\x8eb\x92\x85\xc1\xd0#\x09\x93\x97\xff\x0a$&/	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805256.488426	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.031128	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805256.487243	1	\xcc\x1f~\xa1\xdf\xe0.\x9f_,\xa65\x1a[\x01s	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805279.488216	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.031479	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805279.487564	1	}\xfd\xbf\x81\xae\x16\x07\x1b\x987kd\x9255\xf9	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805330.489109	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.032242	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805330.488240	1	\x90\xfc\x8c\x02\xa6w\x1f\xf2\x0aU\xfb\x04\x10\xe9\xe3\xfb	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805357.489015	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.032639	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805357.488596	1	\x96@\x0b\x95\x99W\xd7\xa8\xf6\x06\xf9\xa0B,\x1d\xd8	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805382.489247	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.033020	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805382.488826	1	\xd3\xd7\xd1Vn\xb7\x0e\xceg\xb9C\x0b\xc2\xac\xcc\xab	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805442.490416	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.033920	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805442.489609	1	\x93E\xaa\xdaj\xfc3d\x0c\xd1\xad\xb3\x83ce\xc9	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805451.490156	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.034058	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805451.489738	1	{\xaa\x86\xeb\x99\xb8H\xe4\x8b\x93\x7f\xfe\x84)%\xa4	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805453.490234	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.034088	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805453.489803	1	1D0\x0f\x08\x16\x9fjs\xd4\xef}5\xa1\xf6\x9a	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805461.490303	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.034210	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805461.489877	1	nU~J\x8d\xe9m\xf3\\.\xf1g\xb5loj	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805478.490697	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.034454	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805478.490201	1	\xa4\xf8A\x08\xbf\xda}F%\xf2Fl\x19\xff\xdd\xab	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805504.491041	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.034851	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805504.490512	1	\xb0\xeec=\xb3\x17\xa2\xc5\xab\xe5\x04\x82\xe3\xfcE\xa1	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805532.491194	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.035263	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805532.490810	1	\x0b\xa2\x86M\x0d\xdc%\xbc\xcbi\xe9\x81\xd6\x0d$\x80	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805537.491291	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.035339	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805537.490953	1	\x01\xc1~\xeeJ'\x92g\x0cYI0\x0c\xd7\x91\xb1	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805571.492008	ClEkJM2Vm5giqnMf4h	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.035858	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805571.491412	1	i\x90_\x89B\xf0\xe8Nq.\xe2t\xf1_jn	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805634.493022	C4J4Th3PJpwUYZZ6gc	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.036804	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805634.492157	1	\x07p\xf5&\xff\x1b6\x04\xb3\x83/\xb9\xff\xcb\xf2\xc6	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805644.492819	C4J4Th3PJpwUYZZ6gc	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.036942	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805644.492282	1	M\x05\xa9\x90'a\xbajGdb\xe03ZA\xf9	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805696.493954	C4J4Th3PJpwUYZZ6gc	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.037735	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805696.492977	1	\x17B\xcf\xb1y\x88\xdfA\xfe\xc2\x03u"J\xe9\xb0	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805758.494168	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.038666	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805758.493804	1	\x99\xe3\xa8\x0c\xca@\xc1\x0c\x1c\xc9\xec=\x07\xc0d\xc7	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805776.494105	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.038925	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805776.494147	1	T\x1bE\x16,{\x1b\x08\xc9\x05G\xce\xb9\xe2,\x9d	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805815.494785	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.039520	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805815.494543	1	\xb7\xa6\xc2'u\xdc\xcc\x86(\xe0^{\xdd\x8e\xde,	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805864.495551	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.040253	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805864.495286	1	\xfcU\x94Z\xca\x04x\xe0\x93z\xa2K\x89\xc0 \xb7	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805865.495215	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.040268	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805865.495321	1	\xf9& \x1a\xb2}O\xe5\xba\xd9\xfe\x0f\xf4J\x93P	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805916.496467	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.041031	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805916.495973	1	\x8f\x8c\xb7\xcd\xd4{\x8f\x0b\x92\xee~\xa6\x17\x0e\xa1\x0f	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805964.497107	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.041748	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805964.496596	1	L\xe68\xb6\x1d\x1d\x8cq\x0b\xb7\xf0N\xee\x9b\xb2j	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495805992.497281	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.042175	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495805992.496969	1	D\xa4>MCS\x90h\x0f=[4u\xd0\x1f\x9f	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806035.498089	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.042816	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806035.497545	1	U\xcb]\xd3"NV\xb9[W\xa5!\xddl\x1f4	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806055.497837	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043106	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806055.497725	1	Y\xdc\xc7]#\xb3\x9bV\xf7\x1b\xb3[\x8e\x836!	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806069.497947	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043320	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806069.497937	1	\xd1-O\xc7-\xac\x10\x19\xa9h\xe4\x81;\xb4\x01e	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806080.498110	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043488	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806080.498132	1	\xe0\xa3^\x9ck*qa\x85\x1aVA|bJA	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806100.498331	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043793	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806100.498395	1	;\x03\xae\x8a\xf1}ABj\x87\xa0\xf4\xa8C\xd7\x9f	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1495806130.498492	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.044235	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806130.498813	1	\x1e\xa7\xc3\xd2\xe3\x0e\x08!\x8f\xe3Z$&B\x96\x13	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-06-14-43-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
index ffb4b4f91d..59b1a1966e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/.stdout
@@ -1,32 +1,32 @@
-ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02417, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246548.048352, rec_time=1559246548.076756, xmt_time=1559246614.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.07135, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246614.027421, rec_time=1559246614.048376, xmt_time=1559246614.048407, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024216, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246550.040662, rec_time=1559246550.063198, xmt_time=1559246617.027452, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.032959, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246617.027452, rec_time=1559246617.040799, xmt_time=1559246617.040813, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024246, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.074199, rec_time=1559246553.094855, xmt_time=1559246619.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001266, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246560.207644, org_time=1559246619.027384, rec_time=1559246619.054018, xmt_time=1559246619.054053, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246551.034239, rec_time=1559246551.058223, xmt_time=1559246620.027408, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.067084, rec_time=1559246553.088704, xmt_time=1559246620.027461, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041266, rec_time=1559246554.063055, xmt_time=1559246620.027475, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246620.027461, rec_time=1559246620.040139, xmt_time=1559246620.040206, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013397, root_disp=0.053787, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559244627.070973, org_time=1559246620.027408, rec_time=1559246620.043959, xmt_time=1559246620.043985, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.036545, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246620.027475, rec_time=1559246620.048058, xmt_time=1559246620.048074, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024277, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.072776, rec_time=1559246553.094814, xmt_time=1559246621.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.033463, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246621.027421, rec_time=1559246621.073143, xmt_time=1559246621.073172, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.043833, rec_time=1559246556.073681, xmt_time=1559246622.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.078959, rec_time=1559246553.100708, xmt_time=1559246622.027446, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.085177, rec_time=1559246553.102587, xmt_time=1559246622.027464, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041367, rec_time=1559246554.069181, xmt_time=1559246622.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013733, root_disp=0.041672, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245709.302032, org_time=1559246622.027446, rec_time=1559246622.071899, xmt_time=1559246622.071924, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.038559, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246622.027478, rec_time=1559246622.068521, xmt_time=1559246622.06856, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246622.0, org_time=1559246622.027384, rec_time=1559246622.073734, xmt_time=1559246622.07374, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.03743, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246622.027464, rec_time=1559246622.086267, xmt_time=1559246622.086348, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.032041, rec_time=1559246556.054612, xmt_time=1559246623.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246555.051459, rec_time=1559246555.077253, xmt_time=1559246623.027521, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.011642, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246623.027478, rec_time=1559246623.041209, xmt_time=1559246623.04122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036835, root_disp=0.046951, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245789.870424, org_time=1559246623.027521, rec_time=1559246623.04836, xmt_time=1559246623.048416, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246557.07812, rec_time=1559246557.097844, xmt_time=1559246626.027432, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246558.043947, rec_time=1559246558.067904, xmt_time=1559246626.027514, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.025497, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246626.027514, rec_time=1559246626.044105, xmt_time=1559246626.044139, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246626.027432, rec_time=1559246626.058084, xmt_time=1559246626.058151, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024368, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246560.040576, rec_time=1559246560.064668, xmt_time=1559246627.027459, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011765, root_disp=0.001526, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245638.390748, org_time=1559246627.027459, rec_time=1559246627.050401, xmt_time=1559246627.050438, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02417, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246548.048352, rec_time=1559246548.076756, xmt_time=1559246614.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.07135, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=105.237.207.28, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246614.027421, rec_time=1559246614.048376, xmt_time=1559246614.048407, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024216, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246550.040662, rec_time=1559246550.063198, xmt_time=1559246617.027452, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.032959, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246617.027452, rec_time=1559246617.040799, xmt_time=1559246617.040813, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024246, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.074199, rec_time=1559246553.094855, xmt_time=1559246619.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001266, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=195.113.144.238, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246560.207644, org_time=1559246619.027384, rec_time=1559246619.054018, xmt_time=1559246619.054053, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246551.034239, rec_time=1559246551.058223, xmt_time=1559246620.027408, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.067084, rec_time=1559246553.088704, xmt_time=1559246620.027461, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024261, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041266, rec_time=1559246554.063055, xmt_time=1559246620.027475, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246620.027461, rec_time=1559246620.040139, xmt_time=1559246620.040206, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013397, root_disp=0.053787, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559244627.070973, org_time=1559246620.027408, rec_time=1559246620.043959, xmt_time=1559246620.043985, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.036545, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246620.027475, rec_time=1559246620.048058, xmt_time=1559246620.048074, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024277, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.072776, rec_time=1559246553.094814, xmt_time=1559246621.027421, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.033463, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246621.027421, rec_time=1559246621.073143, xmt_time=1559246621.073172, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.043833, rec_time=1559246556.073681, xmt_time=1559246622.027384, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.078959, rec_time=1559246553.100708, xmt_time=1559246622.027446, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246553.085177, rec_time=1559246553.102587, xmt_time=1559246622.027464, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024292, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246554.041367, rec_time=1559246554.069181, xmt_time=1559246622.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013733, root_disp=0.041672, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245709.302032, org_time=1559246622.027446, rec_time=1559246622.071899, xmt_time=1559246622.071924, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.038559, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246622.027478, rec_time=1559246622.068521, xmt_time=1559246622.06856, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=GPS\x00, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246622.0, org_time=1559246622.027384, rec_time=1559246622.073734, xmt_time=1559246622.07374, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.03743, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=212.7.1.132, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246622.027464, rec_time=1559246622.086267, xmt_time=1559246622.086348, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246556.032041, rec_time=1559246556.054612, xmt_time=1559246623.027478, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024307, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246555.051459, rec_time=1559246555.077253, xmt_time=1559246623.027521, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.011642, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246623.027478, rec_time=1559246623.041209, xmt_time=1559246623.04122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036835, root_disp=0.046951, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=73.98.4.223, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245789.870424, org_time=1559246623.027521, rec_time=1559246623.04836, xmt_time=1559246623.048416, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246557.07812, rec_time=1559246557.097844, xmt_time=1559246626.027432, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024353, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246558.043947, rec_time=1559246558.067904, xmt_time=1559246626.027514, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.025497, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246626.027514, rec_time=1559246626.044105, xmt_time=1559246626.044139, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=212.7.1.132, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246626.027432, rec_time=1559246626.058084, xmt_time=1559246626.058151, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.024368, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246560.040576, rec_time=1559246560.064668, xmt_time=1559246627.027459, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011765, root_disp=0.001526, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=185.19.184.35, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245638.390748, org_time=1559246627.027459, rec_time=1559246627.050401, xmt_time=1559246627.050438, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
index 382f3f6ed7..f69cae6089 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
@@ -3,39 +3,39 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-05-09-15-37
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
-#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
-1559246614.027454	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.024170	-	-	-	-	1559246556.073681	1559246548.048352	1559246548.076756	1559246614.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246614.074475	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.071350	-	-	-	-	1559245852.721794	1559246614.027421	1559246614.048376	1559246614.048407	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246617.027486	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.024216	-	-	-	-	1559246556.073681	1559246550.040662	1559246550.063198	1559246617.027452	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246617.063504	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.032959	-	-	-	-	1559245541.537424	1559246617.027452	1559246617.040799	1559246617.040813	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246619.027413	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.024246	-	-	-	-	1559246556.073681	1559246553.074199	1559246553.094855	1559246619.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246619.074513	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001266	-	-	-	-	1559246560.207644	1559246619.027384	1559246619.054018	1559246619.054053	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.027437	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246551.034239	1559246551.058223	1559246620.027408	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.027466	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246553.067084	1559246553.088704	1559246620.027461	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.027480	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	-	-	1559246556.073681	1559246554.041266	1559246554.063055	1559246620.027475	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.059693	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000275	-	-	-	-	1559246481.481997	1559246620.027461	1559246620.040139	1559246620.040206	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.065302	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013397	0.053787	-	-	-	-	1559244627.070973	1559246620.027408	1559246620.043959	1559246620.043985	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246620.065335	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.036545	-	-	-	-	1559245278.442390	1559246620.027475	1559246620.048058	1559246620.048074	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246621.027458	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.024277	-	-	-	-	1559246556.073681	1559246553.072776	1559246553.094814	1559246621.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246621.095645	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.033463	-	-	-	-	1559245577.265702	1559246621.027421	1559246621.073143	1559246621.073172	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.027418	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246556.043833	1559246556.073681	1559246622.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.027454	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246553.078959	1559246553.100708	1559246622.027446	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.027471	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246553.085177	1559246553.102587	1559246622.027464	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.027484	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	-	-	1559246556.073681	1559246554.041367	1559246554.069181	1559246622.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.092519	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013733	0.041672	-	-	-	-	1559245709.302032	1559246622.027446	1559246622.071899	1559246622.071924	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.092556	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.038559	-	-	-	-	1559245178.020777	1559246622.027478	1559246622.068521	1559246622.068560	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.100109	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246622.000000	1559246622.027384	1559246622.073734	1559246622.073740	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246622.100152	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.037430	-	-	-	-	1559245356.576177	1559246622.027464	1559246622.086267	1559246622.086348	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246623.027502	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	-	-	1559246556.073681	1559246556.032041	1559246556.054612	1559246623.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246623.027531	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	-	-	1559246556.073681	1559246555.051459	1559246555.077253	1559246623.027521	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246623.062844	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.011642	-	-	-	-	1559246412.455332	1559246623.027478	1559246623.041209	1559246623.041220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246623.070217	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036835	0.046951	-	-	-	-	1559245789.870424	1559246623.027521	1559246623.048360	1559246623.048416	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246626.027461	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	-	-	1559246556.073681	1559246557.078120	1559246557.097844	1559246626.027432	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246626.027518	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	-	-	1559246556.073681	1559246558.043947	1559246558.067904	1559246626.027514	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246626.065984	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.025497	-	-	-	-	1559246283.180069	1559246626.027514	1559246626.044105	1559246626.044139	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246626.075079	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.037491	-	-	-	-	1559245356.576177	1559246626.027432	1559246626.058084	1559246626.058151	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246627.027502	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.024368	-	-	-	-	1559246556.073681	1559246560.040576	1559246560.064668	1559246627.027459	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246627.073485	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011765	0.001526	-	-	-	-	1559245638.390748	1559246627.027459	1559246627.050401	1559246627.050438	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-05-09-15-37
+#open	2019-06-06-14-36-12
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
+1559246614.027454	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.024170	-	-	85.199.214.99	-	1559246556.073681	1559246548.048352	1559246548.076756	1559246614.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246614.074475	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.071350	-	-	105.237.207.28	-	1559245852.721794	1559246614.027421	1559246614.048376	1559246614.048407	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246617.027486	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.024216	-	-	85.199.214.99	-	1559246556.073681	1559246550.040662	1559246550.063198	1559246617.027452	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246617.063504	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.032959	-	-	193.204.114.233	-	1559245541.537424	1559246617.027452	1559246617.040799	1559246617.040813	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246619.027413	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.024246	-	-	85.199.214.99	-	1559246556.073681	1559246553.074199	1559246553.094855	1559246619.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246619.074513	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001266	-	-	195.113.144.238	-	1559246560.207644	1559246619.027384	1559246619.054018	1559246619.054053	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027437	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	85.199.214.99	-	1559246556.073681	1559246551.034239	1559246551.058223	1559246620.027408	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027466	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	85.199.214.99	-	1559246556.073681	1559246553.067084	1559246553.088704	1559246620.027461	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.027480	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.024261	-	-	85.199.214.99	-	1559246556.073681	1559246554.041266	1559246554.063055	1559246620.027475	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.059693	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000275	-	-	193.204.114.233	-	1559246481.481997	1559246620.027461	1559246620.040139	1559246620.040206	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.065302	CtPZjS20MLrsMUOJi2	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013397	0.053787	-	-	193.204.114.233	-	1559244627.070973	1559246620.027408	1559246620.043959	1559246620.043985	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246620.065335	CmES5u32sYpV7JYN	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.036545	-	-	193.204.114.232	-	1559245278.442390	1559246620.027475	1559246620.048058	1559246620.048074	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246621.027458	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.024277	-	-	85.199.214.99	-	1559246556.073681	1559246553.072776	1559246553.094814	1559246621.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246621.095645	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.033463	-	-	193.204.114.233	-	1559245577.265702	1559246621.027421	1559246621.073143	1559246621.073172	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027418	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	85.199.214.99	-	1559246556.073681	1559246556.043833	1559246556.073681	1559246622.027384	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027454	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	85.199.214.99	-	1559246556.073681	1559246553.078959	1559246553.100708	1559246622.027446	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027471	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	85.199.214.99	-	1559246556.073681	1559246553.085177	1559246553.102587	1559246622.027464	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.027484	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.024292	-	-	85.199.214.99	-	1559246556.073681	1559246554.041367	1559246554.069181	1559246622.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.092519	C3eiCBGOLw3VtHfOj	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013733	0.041672	-	-	193.204.114.233	-	1559245709.302032	1559246622.027446	1559246622.071899	1559246622.071924	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.092556	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.038559	-	-	193.204.114.232	-	1559245178.020777	1559246622.027478	1559246622.068521	1559246622.068560	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.100109	C37jN32gN3y3AZzyf6	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	GPS\x00	-	-	1559246622.000000	1559246622.027384	1559246622.073734	1559246622.073740	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246622.100152	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.037430	-	-	212.7.1.132	-	1559245356.576177	1559246622.027464	1559246622.086267	1559246622.086348	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.027502	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	85.199.214.99	-	1559246556.073681	1559246556.032041	1559246556.054612	1559246623.027478	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.027531	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.024307	-	-	85.199.214.99	-	1559246556.073681	1559246555.051459	1559246555.077253	1559246623.027521	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.062844	CFLRIC3zaTU1loLGxh	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.011642	-	-	193.204.114.233	-	1559246412.455332	1559246623.027478	1559246623.041209	1559246623.041220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246623.070217	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036835	0.046951	-	-	73.98.4.223	-	1559245789.870424	1559246623.027521	1559246623.048360	1559246623.048416	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.027461	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	85.199.214.99	-	1559246556.073681	1559246557.078120	1559246557.097844	1559246626.027432	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.027518	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.024353	-	-	85.199.214.99	-	1559246556.073681	1559246558.043947	1559246558.067904	1559246626.027514	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.065984	C9mvWx3ezztgzcexV7	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.025497	-	-	193.204.114.232	-	1559246283.180069	1559246626.027514	1559246626.044105	1559246626.044139	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246626.075079	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.037491	-	-	212.7.1.132	-	1559245356.576177	1559246626.027432	1559246626.058084	1559246626.058151	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246627.027502	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.024368	-	-	85.199.214.99	-	1559246556.073681	1559246560.040576	1559246560.064668	1559246627.027459	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246627.073485	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011765	0.001526	-	-	185.19.184.35	-	1559245638.390748	1559246627.027459	1559246627.050401	1559246627.050438	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-06-14-36-13
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
index ac82db736a..64f538e4b5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
@@ -1,35 +1,35 @@
-ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028229, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246818.058351, rec_time=1559246818.079217, xmt_time=1559246885.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.075409, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246885.027449, rec_time=1559246885.069212, xmt_time=1559246885.069247, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028259, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246820.060608, rec_time=1559246820.081498, xmt_time=1559246887.027425, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.037018, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246887.027425, rec_time=1559246887.050758, xmt_time=1559246887.050774, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246819.064014, rec_time=1559246819.079147, xmt_time=1559246888.027454, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.050275, rec_time=1559246822.064562, xmt_time=1559246888.030021, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246888.030021, rec_time=1559246888.22033, xmt_time=1559246888.220401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001236, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246882.967102, org_time=1559246888.027454, rec_time=1559246888.234035, xmt_time=1559246888.234061, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02829, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05809, rec_time=1559246822.069097, xmt_time=1559246889.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.040573, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246889.027449, rec_time=1559246889.061203, xmt_time=1559246889.06122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.073855, rec_time=1559246824.095227, xmt_time=1559246890.027469, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246821.052836, rec_time=1559246821.069165, xmt_time=1559246890.027512, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246823.12395, rec_time=1559246823.295751, xmt_time=1559246890.027523, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013596, root_disp=0.025208, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246828.086879, org_time=1559246890.027523, rec_time=1559246890.060644, xmt_time=1559246890.060687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246890.027512, rec_time=1559246890.069012, xmt_time=1559246890.069048, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1559246890.0, org_time=1559246890.027469, rec_time=1559246890.070262, xmt_time=1559246890.070268, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05173, rec_time=1559246822.067161, xmt_time=1559246891.027395, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.052045, rec_time=1559246825.066358, xmt_time=1559246891.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.015671, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246891.027395, rec_time=1559246891.051818, xmt_time=1559246891.051827, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013657, root_disp=0.025818, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246788.670839, org_time=1559246891.029953, rec_time=1559246891.061992, xmt_time=1559246891.062023, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028336, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.061335, rec_time=1559246824.08282, xmt_time=1559246892.027401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.042603, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246892.027401, rec_time=1559246892.05139, xmt_time=1559246892.051436, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028366, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.064608, rec_time=1559246825.074985, xmt_time=1559246894.027491, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246894.027491, rec_time=1559246894.059304, xmt_time=1559246894.05938, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246829.060691, rec_time=1559246829.079018, xmt_time=1559246898.027403, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246830.0714, rec_time=1559246830.08971, xmt_time=1559246898.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011917, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246667.219303, org_time=1559246898.027403, rec_time=1559246898.077958, xmt_time=1559246898.078029, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036819, root_disp=0.050842, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246822.40751, org_time=1559246898.029953, rec_time=1559246898.078347, xmt_time=1559246898.07843, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246833.067975, rec_time=1559246833.07965, xmt_time=1559246900.027439, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246831.053954, rec_time=1559246831.069547, xmt_time=1559246900.030036, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.029602, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246900.030036, rec_time=1559246900.08881, xmt_time=1559246900.088844, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041595, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246900.027439, rec_time=1559246900.103765, xmt_time=1559246900.103887, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=3, std_msg=[stratum=0, poll=16.0, precision=0.015625, root_delay=1.0, root_disp=1.0, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1101309131.444112, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.000122, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=CTD\x00, ref_time=1559246910.937978, org_time=1101309131.444112, rec_time=1559246940.281161, xmt_time=1559246940.281191, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028229, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246818.058351, rec_time=1559246818.079217, xmt_time=1559246885.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.52.109:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.048843, root_disp=0.075409, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=105.237.207.28, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245852.721794, org_time=1559246885.027449, rec_time=1559246885.069212, xmt_time=1559246885.069247, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028259, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246820.060608, rec_time=1559246820.081498, xmt_time=1559246887.027425, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.88:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.003799, root_disp=0.037018, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245541.537424, org_time=1559246887.027425, rec_time=1559246887.050758, xmt_time=1559246887.050774, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246819.064014, rec_time=1559246819.079147, xmt_time=1559246888.027454, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028275, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.050275, rec_time=1559246822.064562, xmt_time=1559246888.030021, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 185.19.184.35:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.003235, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246481.481997, org_time=1559246888.030021, rec_time=1559246888.22033, xmt_time=1559246888.220401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.131.188:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.040375, root_disp=0.001236, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=195.113.144.238, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246882.967102, org_time=1559246888.027454, rec_time=1559246888.234035, xmt_time=1559246888.234061, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02829, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05809, rec_time=1559246822.069097, xmt_time=1559246889.027449, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.3:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000001, root_delay=0.00351, root_disp=0.040573, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245278.44239, org_time=1559246889.027449, rec_time=1559246889.061203, xmt_time=1559246889.06122, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.073855, rec_time=1559246824.095227, xmt_time=1559246890.027469, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246821.052836, rec_time=1559246821.069165, xmt_time=1559246890.027512, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028305, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246823.12395, rec_time=1559246823.295751, xmt_time=1559246890.027523, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 188.213.165.209:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013596, root_disp=0.025208, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246828.086879, org_time=1559246890.027523, rec_time=1559246890.060644, xmt_time=1559246890.060687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 31.14.133.122:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.01091, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245577.265702, org_time=1559246890.027512, rec_time=1559246890.069012, xmt_time=1559246890.069048, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 85.199.214.99:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.0, kiss_code=<uninitialized>, ref_id=GPS\x00, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246890.0, org_time=1559246890.027469, rec_time=1559246890.070262, xmt_time=1559246890.070268, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246822.05173, rec_time=1559246822.067161, xmt_time=1559246891.027395, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.02832, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.052045, rec_time=1559246825.066358, xmt_time=1559246891.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 93.41.196.243:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.025391, root_disp=0.015671, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246412.455332, org_time=1559246891.027395, rec_time=1559246891.051818, xmt_time=1559246891.051827, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 94.177.187.22:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013657, root_disp=0.025818, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.233, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246788.670839, org_time=1559246891.029953, rec_time=1559246891.061992, xmt_time=1559246891.062023, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028336, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246824.061335, rec_time=1559246824.08282, xmt_time=1559246892.027401, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 212.45.144.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000002, root_delay=0.00351, root_disp=0.042603, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245178.020777, org_time=1559246892.027401, rec_time=1559246892.05139, xmt_time=1559246892.051436, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028366, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246825.064608, rec_time=1559246825.074985, xmt_time=1559246894.027491, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.214:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=212.7.1.132, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246894.027491, rec_time=1559246894.059304, xmt_time=1559246894.05938, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246829.060691, rec_time=1559246829.079018, xmt_time=1559246898.027403, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028427, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246830.0714, rec_time=1559246830.08971, xmt_time=1559246898.029953, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.88.132:123 [version=3, mode=4, std_msg=[stratum=3, poll=64.0, precision=0.000001, root_delay=0.011917, root_disp=0.000565, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=185.19.184.35, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246667.219303, org_time=1559246898.027403, rec_time=1559246898.077958, xmt_time=1559246898.078029, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.171.177:123 [version=4, mode=4, std_msg=[stratum=4, poll=64.0, precision=0, root_delay=0.036819, root_disp=0.050842, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=73.98.4.223, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246822.40751, org_time=1559246898.029953, rec_time=1559246898.078347, xmt_time=1559246898.07843, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246833.067975, rec_time=1559246833.07965, xmt_time=1559246900.027439, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=3, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.04628, root_disp=0.028458, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=85.199.214.99, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246556.073681, org_time=1559246831.053954, rec_time=1559246831.069547, xmt_time=1559246900.030036, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0, root_delay=0.013535, root_disp=0.029602, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=193.204.114.232, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246283.180069, org_time=1559246900.030036, rec_time=1559246900.08881, xmt_time=1559246900.088844, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041595, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=212.7.1.132, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246900.027439, rec_time=1559246900.103765, xmt_time=1559246900.103887, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=3, std_msg=[stratum=0, poll=16.0, precision=0.015625, root_delay=1.0, root_disp=1.0, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1101309131.444112, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.000122, kiss_code=<uninitialized>, ref_id=CTD\x00, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246910.937978, org_time=1101309131.444112, rec_time=1559246940.281161, xmt_time=1559246940.281191, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
index 4c56431bf0..b8e53bc43b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
@@ -3,42 +3,42 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-05-09-15-43
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
-#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
-1559246885.027478	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.028229	-	-	-	-	1559246556.073681	1559246818.058351	1559246818.079217	1559246885.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246885.088815	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.075409	-	-	-	-	1559245852.721794	1559246885.027449	1559246885.069212	1559246885.069247	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246887.027467	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.028259	-	-	-	-	1559246556.073681	1559246820.060608	1559246820.081498	1559246887.027425	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246887.060766	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.037018	-	-	-	-	1559245541.537424	1559246887.027425	1559246887.050758	1559246887.050774	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246888.027489	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	-	-	1559246556.073681	1559246819.064014	1559246819.079147	1559246888.027454	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246888.030028	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	-	-	1559246556.073681	1559246822.050275	1559246822.064562	1559246888.030021	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246888.422200	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000565	-	-	-	-	1559246481.481997	1559246888.030021	1559246888.220330	1559246888.220401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246888.422229	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001236	-	-	-	-	1559246882.967102	1559246888.027454	1559246888.234035	1559246888.234061	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246889.027482	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.028290	-	-	-	-	1559246556.073681	1559246822.058090	1559246822.069097	1559246889.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246889.075261	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.040573	-	-	-	-	1559245278.442390	1559246889.027449	1559246889.061203	1559246889.061220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.027493	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246824.073855	1559246824.095227	1559246890.027469	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.027517	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246821.052836	1559246821.069165	1559246890.027512	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.027528	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	-	-	1559246556.073681	1559246823.123950	1559246823.295751	1559246890.027523	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.076319	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013596	0.025208	-	-	-	-	1559246828.086879	1559246890.027523	1559246890.060644	1559246890.060687	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.082370	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.037491	-	-	-	-	1559245577.265702	1559246890.027512	1559246890.069012	1559246890.069048	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246890.094824	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	-	-	-	1559246890.000000	1559246890.027469	1559246890.070262	1559246890.070268	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246891.027431	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	-	-	1559246556.073681	1559246822.051730	1559246822.067161	1559246891.027395	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246891.029967	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	-	-	1559246556.073681	1559246825.052045	1559246825.066358	1559246891.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246891.068733	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.015671	-	-	-	-	1559246412.455332	1559246891.027395	1559246891.051818	1559246891.051827	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246891.075965	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013657	0.025818	-	-	-	-	1559246788.670839	1559246891.029953	1559246891.061992	1559246891.062023	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246892.027415	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.028336	-	-	-	-	1559246556.073681	1559246824.061335	1559246824.082820	1559246892.027401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246892.077560	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.042603	-	-	-	-	1559245178.020777	1559246892.027401	1559246892.051390	1559246892.051436	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246894.027523	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.028366	-	-	-	-	1559246556.073681	1559246825.064608	1559246825.074985	1559246894.027491	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246894.070325	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.041504	-	-	-	-	1559245356.576177	1559246894.027491	1559246894.059304	1559246894.059380	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246898.027422	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.028427	-	-	-	-	1559246556.073681	1559246829.060691	1559246829.079018	1559246898.027403	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246898.029960	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.028427	-	-	-	-	1559246556.073681	1559246830.071400	1559246830.089710	1559246898.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246898.094782	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011917	0.000565	-	-	-	-	1559246667.219303	1559246898.027403	1559246898.077958	1559246898.078029	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246898.094827	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036819	0.050842	-	-	-	-	1559246822.407510	1559246898.029953	1559246898.078347	1559246898.078430	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246900.027467	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	-	-	1559246556.073681	1559246833.067975	1559246833.079650	1559246900.027439	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246900.030051	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	-	-	1559246556.073681	1559246831.053954	1559246831.069547	1559246900.030036	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246900.102991	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.029602	-	-	-	-	1559246283.180069	1559246900.030036	1559246900.088810	1559246900.088844	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246900.111834	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.041595	-	-	-	-	1559245356.576177	1559246900.027439	1559246900.103765	1559246900.103887	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246940.262220	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	3	0	16.000000	0.015625	1.000000	1.000000	-	-	-	-	0.000000	0.000000	0.000000	1101309131.444112	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246940.304152	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	4	1	16.000000	0.000000	0.000000	0.000122	-	-	-	-	1559246910.937978	1101309131.444112	1559246940.281161	1559246940.281191	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1559246940.486493	CykQaM33ztNt0csB9a	192.168.43.118	43046	193.204.114.232	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	42	F	-	3	0
-#close	2019-06-05-09-15-44
+#open	2019-06-06-14-36-21
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
+1559246885.027478	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.028229	-	-	85.199.214.99	-	1559246556.073681	1559246818.058351	1559246818.079217	1559246885.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246885.088815	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.075409	-	-	105.237.207.28	-	1559245852.721794	1559246885.027449	1559246885.069212	1559246885.069247	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246887.027467	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	3	2	64.000000	0.000000	0.046280	0.028259	-	-	85.199.214.99	-	1559246556.073681	1559246820.060608	1559246820.081498	1559246887.027425	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246887.060766	ClEkJM2Vm5giqnMf4h	192.168.43.118	123	212.45.144.88	123	4	4	2	64.000000	0.000000	0.003799	0.037018	-	-	193.204.114.233	-	1559245541.537424	1559246887.027425	1559246887.050758	1559246887.050774	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.027489	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	85.199.214.99	-	1559246556.073681	1559246819.064014	1559246819.079147	1559246888.027454	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.030028	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	3	2	64.000000	0.000000	0.046280	0.028275	-	-	85.199.214.99	-	1559246556.073681	1559246822.050275	1559246822.064562	1559246888.030021	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.422200	CtPZjS20MLrsMUOJi2	192.168.43.118	123	185.19.184.35	123	4	4	2	64.000000	0.000008	0.003235	0.000565	-	-	193.204.114.233	-	1559246481.481997	1559246888.030021	1559246888.220330	1559246888.220401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246888.422229	C4J4Th3PJpwUYZZ6gc	192.168.43.118	123	31.14.131.188	123	4	4	2	64.000000	0.000000	0.040375	0.001236	-	-	195.113.144.238	-	1559246882.967102	1559246888.027454	1559246888.234035	1559246888.234061	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246889.027482	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	3	2	64.000000	0.000000	0.046280	0.028290	-	-	85.199.214.99	-	1559246556.073681	1559246822.058090	1559246822.069097	1559246889.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246889.075261	CUM0KZ3MLUfNB0cl11	192.168.43.118	123	212.45.144.3	123	4	4	2	64.000000	0.000001	0.003510	0.040573	-	-	193.204.114.232	-	1559245278.442390	1559246889.027449	1559246889.061203	1559246889.061220	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027493	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	85.199.214.99	-	1559246556.073681	1559246824.073855	1559246824.095227	1559246890.027469	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027517	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	85.199.214.99	-	1559246556.073681	1559246821.052836	1559246821.069165	1559246890.027512	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.027528	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	3	2	64.000000	0.000000	0.046280	0.028305	-	-	85.199.214.99	-	1559246556.073681	1559246823.123950	1559246823.295751	1559246890.027523	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.076319	C37jN32gN3y3AZzyf6	192.168.43.118	123	188.213.165.209	123	4	4	2	64.000000	0.000000	0.013596	0.025208	-	-	193.204.114.232	-	1559246828.086879	1559246890.027523	1559246890.060644	1559246890.060687	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.082370	CP5puj4I8PtEU4qzYg	192.168.43.118	123	31.14.133.122	123	4	4	2	64.000000	0.000000	0.010910	0.037491	-	-	193.204.114.233	-	1559245577.265702	1559246890.027512	1559246890.069012	1559246890.069048	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246890.094824	CmES5u32sYpV7JYN	192.168.43.118	123	85.199.214.99	123	4	4	1	16.000000	0.000000	0.000000	0.000000	-	GPS\x00	-	-	1559246890.000000	1559246890.027469	1559246890.070262	1559246890.070268	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.027431	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	85.199.214.99	-	1559246556.073681	1559246822.051730	1559246822.067161	1559246891.027395	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.029967	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	3	2	64.000000	0.000000	0.046280	0.028320	-	-	85.199.214.99	-	1559246556.073681	1559246825.052045	1559246825.066358	1559246891.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.068733	C3eiCBGOLw3VtHfOj	192.168.43.118	123	93.41.196.243	123	4	4	2	64.000000	0.000000	0.025391	0.015671	-	-	193.204.114.233	-	1559246412.455332	1559246891.027395	1559246891.051818	1559246891.051827	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246891.075965	CwjjYJ2WqgTbAqiHl6	192.168.43.118	123	94.177.187.22	123	4	4	2	64.000000	0.000000	0.013657	0.025818	-	-	193.204.114.233	-	1559246788.670839	1559246891.029953	1559246891.061992	1559246891.062023	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246892.027415	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	3	2	64.000000	0.000000	0.046280	0.028336	-	-	85.199.214.99	-	1559246556.073681	1559246824.061335	1559246824.082820	1559246892.027401	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246892.077560	C0LAHyvtKSQHyJxIl	192.168.43.118	123	212.45.144.206	123	4	4	2	64.000000	0.000002	0.003510	0.042603	-	-	193.204.114.232	-	1559245178.020777	1559246892.027401	1559246892.051390	1559246892.051436	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246894.027523	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	3	2	64.000000	0.000000	0.046280	0.028366	-	-	85.199.214.99	-	1559246556.073681	1559246825.064608	1559246825.074985	1559246894.027491	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246894.070325	CFLRIC3zaTU1loLGxh	192.168.43.118	123	147.135.207.214	123	4	4	2	64.000000	0.000008	0.042236	0.041504	-	-	212.7.1.132	-	1559245356.576177	1559246894.027491	1559246894.059304	1559246894.059380	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.027422	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.028427	-	-	85.199.214.99	-	1559246556.073681	1559246829.060691	1559246829.079018	1559246898.027403	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.029960	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	3	2	64.000000	0.000000	0.046280	0.028427	-	-	85.199.214.99	-	1559246556.073681	1559246830.071400	1559246830.089710	1559246898.029953	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.094782	C9rXSW3KSpTYvPrlI1	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011917	0.000565	-	-	185.19.184.35	-	1559246667.219303	1559246898.027403	1559246898.077958	1559246898.078029	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246898.094827	Ck51lg1bScffFj34Ri	192.168.43.118	123	80.211.171.177	123	4	4	4	64.000000	0.000000	0.036819	0.050842	-	-	73.98.4.223	-	1559246822.407510	1559246898.029953	1559246898.078347	1559246898.078430	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.027467	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	85.199.214.99	-	1559246556.073681	1559246833.067975	1559246833.079650	1559246900.027439	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.030051	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	3	2	64.000000	0.000000	0.046280	0.028458	-	-	85.199.214.99	-	1559246556.073681	1559246831.053954	1559246831.069547	1559246900.030036	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.102991	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.155.206	123	4	4	2	64.000000	0.000000	0.013535	0.029602	-	-	193.204.114.232	-	1559246283.180069	1559246900.030036	1559246900.088810	1559246900.088844	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246900.111834	C9mvWx3ezztgzcexV7	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.041595	-	-	212.7.1.132	-	1559245356.576177	1559246900.027439	1559246900.103765	1559246900.103887	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246940.262220	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	3	0	16.000000	0.015625	1.000000	1.000000	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1101309131.444112	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246940.304152	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	4	1	16.000000	0.000000	0.000000	0.000122	-	CTD\x00	-	-	1559246910.937978	1101309131.444112	1559246940.281161	1559246940.281191	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1559246940.486493	CykQaM33ztNt0csB9a	192.168.43.118	43046	193.204.114.232	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	42	F	-	3	0
+#close	2019-06-06-14-36-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
index f472ab8a40..fe50376a61 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/.stdout
@@ -1,30 +1,30 @@
-ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=\x00\x00\x00\x00, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000004, root_delay=0.109238, root_disp=0.081726, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.551001, org_time=1096255084.922896, rec_time=1096255083.809713, xmt_time=1096255083.80976, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.030319, root_disp=0.185547, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096252181.259041, org_time=1096255084.922896, rec_time=1096255083.821124, xmt_time=1096255083.821134, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.060455, root_disp=7.46431, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1095788645.064548, org_time=1096255084.922896, rec_time=1096255083.848508, xmt_time=1096255083.848601, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.023254, root_disp=0.012848, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254901.858123, org_time=1096255084.922896, rec_time=1096255083.828025, xmt_time=1096255083.828189, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.015015, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.213801, org_time=1096255084.922896, rec_time=1096255083.829249, xmt_time=1096255083.829301, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000008, root_delay=0.072678, root_disp=0.035049, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254326.1896, org_time=1096255084.922896, rec_time=1096255083.824154, xmt_time=1096255083.824174, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.00032, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=GPS\x00, ref_time=1096255078.223498, org_time=1096255084.932911, rec_time=1096255083.836845, xmt_time=1096255083.83687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.123322, root_disp=0.039917, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254970.010788, org_time=1096255084.922896, rec_time=1096255083.825662, xmt_time=1096255083.825692, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.016632, root_disp=0.028641, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254406.517429, org_time=1096255084.932911, rec_time=1096255083.853291, xmt_time=1096255083.853336, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.01236, root_disp=0.022202, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096255027.694744, org_time=1096255084.932911, rec_time=1096255083.850895, xmt_time=1096255083.850907, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.009857, root_disp=0.043747, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254508.255586, org_time=1096255084.932911, rec_time=1096255083.850965, xmt_time=1096255083.851024, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.056396, root_disp=0.062164, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096253376.841474, org_time=1096255084.932911, rec_time=1096255083.847619, xmt_time=1096255083.847644, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000015, root_delay=0.081268, root_disp=0.029877, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254706.14029, org_time=1096255084.922896, rec_time=1096255083.850451, xmt_time=1096255083.850465, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.029846, root_disp=0.045456, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254209.896379, org_time=1096255084.922896, rec_time=1096255083.849099, xmt_time=1096255083.849269, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.000504, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=CDMA, ref_time=1096255068.944018, org_time=1096255084.922896, rec_time=1096255083.827772, xmt_time=1096255083.828313, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.922896, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=1, std_msg=[stratum=0, poll=1024.0, precision=0.015625, root_delay=0.0, root_disp=1.01001, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1096255084.932911, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 69.44.57.60:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000004, root_delay=0.109238, root_disp=0.081726, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=81.174.128.183, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.551001, org_time=1096255084.922896, rec_time=1096255083.809713, xmt_time=1096255083.80976, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.123.202.230:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.030319, root_disp=0.185547, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=198.30.92.2, ref_v6_hash_prefix=<uninitialized>, ref_time=1096252181.259041, org_time=1096255084.922896, rec_time=1096255083.821124, xmt_time=1096255083.821134, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 67.129.68.9:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.060455, root_disp=7.46431, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=17.254.0.49, ref_v6_hash_prefix=<uninitialized>, ref_time=1095788645.064548, org_time=1096255084.922896, rec_time=1096255083.848508, xmt_time=1096255083.848601, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 65.125.233.206:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.023254, root_disp=0.012848, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=130.207.244.240, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254901.858123, org_time=1096255084.922896, rec_time=1096255083.828025, xmt_time=1096255083.828189, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 63.164.62.249:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.015015, root_disp=0.037491, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=18.145.0.30, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254668.213801, org_time=1096255084.922896, rec_time=1096255083.829249, xmt_time=1096255083.829301, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 207.234.209.181:123 [version=3, mode=2, std_msg=[stratum=3, poll=1024.0, precision=0.000008, root_delay=0.072678, root_disp=0.035049, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=198.82.1.203, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254326.1896, org_time=1096255084.922896, rec_time=1096255083.824154, xmt_time=1096255083.824174, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.92.68.246:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.00032, kiss_code=<uninitialized>, ref_id=GPS\x00, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096255078.223498, org_time=1096255084.932911, rec_time=1096255083.836845, xmt_time=1096255083.83687, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 24.34.79.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000031, root_delay=0.123322, root_disp=0.039917, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=131.107.1.10, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254970.010788, org_time=1096255084.922896, rec_time=1096255083.825662, xmt_time=1096255083.825692, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.115.136.4:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000008, root_delay=0.016632, root_disp=0.028641, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=130.207.244.240, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254406.517429, org_time=1096255084.932911, rec_time=1096255083.853291, xmt_time=1096255083.853336, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.206.5:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.01236, root_disp=0.022202, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=192.12.19.20, ref_v6_hash_prefix=<uninitialized>, ref_time=1096255027.694744, org_time=1096255084.932911, rec_time=1096255083.850895, xmt_time=1096255083.850907, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.33.216.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.009857, root_disp=0.043747, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=204.123.2.72, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254508.255586, org_time=1096255084.932911, rec_time=1096255083.850965, xmt_time=1096255083.851024, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 66.111.46.200:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000001, root_delay=0.056396, root_disp=0.062164, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=198.30.92.2, ref_v6_hash_prefix=<uninitialized>, ref_time=1096253376.841474, org_time=1096255084.932911, rec_time=1096255083.847619, xmt_time=1096255083.847644, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 64.112.189.11:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000015, root_delay=0.081268, root_disp=0.029877, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=128.10.252.6, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254706.14029, org_time=1096255084.922896, rec_time=1096255083.850451, xmt_time=1096255083.850465, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 216.27.185.42:123 [version=3, mode=2, std_msg=[stratum=2, poll=1024.0, precision=0.000004, root_delay=0.029846, root_disp=0.045456, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=164.67.62.194, ref_v6_hash_prefix=<uninitialized>, ref_time=1096254209.896379, org_time=1096255084.922896, rec_time=1096255083.849099, xmt_time=1096255083.849269, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
+ntp_message 192.168.50.50 -> 209.132.176.4:123 [version=3, mode=2, std_msg=[stratum=1, poll=1024.0, precision=0.000015, root_delay=0.0, root_disp=0.000504, kiss_code=<uninitialized>, ref_id=CDMA, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1096255068.944018, org_time=1096255084.922896, rec_time=1096255083.827772, xmt_time=1096255083.828313, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
index 5075ab04ed..38d0a32f16 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
@@ -3,37 +3,37 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-05-09-15-50
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
-#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
-1096255084.954975	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.955306	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.955760	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.956155	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.956577	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.956975	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.957457	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.957903	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.958625	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.959273	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.960065	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.960866	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.961475	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.962222	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255084.962915	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	-	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.012029	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	2	3	1024.000000	0.000004	0.109238	0.081726	-	-	-	-	1096254668.551001	1096255084.922896	1096255083.809713	1096255083.809760	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.049280	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	2	2	1024.000000	0.000001	0.030319	0.185547	-	-	-	-	1096252181.259041	1096255084.922896	1096255083.821124	1096255083.821134	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.092991	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	2	2	1024.000000	0.000008	0.060455	7.464310	-	-	-	-	1095788645.064548	1096255084.922896	1096255083.848508	1096255083.848601	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.120557	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	2	2	1024.000000	0.000031	0.023254	0.012848	-	-	-	-	1096254901.858123	1096255084.922896	1096255083.828025	1096255083.828189	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.185955	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	2	2	1024.000000	0.000001	0.015015	0.037491	-	-	-	-	1096254668.213801	1096255084.922896	1096255083.829249	1096255083.829301	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.223026	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	2	3	1024.000000	0.000008	0.072678	0.035049	-	-	-	-	1096254326.189600	1096255084.922896	1096255083.824154	1096255083.824174	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.280949	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	2	1	1024.000000	0.000015	0.000000	0.000320	-	-	-	-	1096255078.223498	1096255084.932911	1096255083.836845	1096255083.836870	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.304774	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	2	2	1024.000000	0.000031	0.123322	0.039917	-	-	-	-	1096254970.010788	1096255084.922896	1096255083.825662	1096255083.825692	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.353360	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	2	2	1024.000000	0.000008	0.016632	0.028641	-	-	-	-	1096254406.517429	1096255084.932911	1096255083.853291	1096255083.853336	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.406368	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	2	2	1024.000000	0.000004	0.012360	0.022202	-	-	-	-	1096255027.694744	1096255084.932911	1096255083.850895	1096255083.850907	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.439833	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	2	2	1024.000000	0.000001	0.009857	0.043747	-	-	-	-	1096254508.255586	1096255084.932911	1096255083.850965	1096255083.851024	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.480955	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	2	2	1024.000000	0.000001	0.056396	0.062164	-	-	-	-	1096253376.841474	1096255084.932911	1096255083.847619	1096255083.847644	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.522297	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	2	2	1024.000000	0.000015	0.081268	0.029877	-	-	-	-	1096254706.140290	1096255084.922896	1096255083.850451	1096255083.850465	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.562197	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	2	2	1024.000000	0.000004	0.029846	0.045456	-	-	-	-	1096254209.896379	1096255084.922896	1096255083.849099	1096255083.849269	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-1096255085.599961	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	2	1	1024.000000	0.000015	0.000000	0.000504	-	-	-	-	1096255068.944018	1096255084.922896	1096255083.827772	1096255083.828313	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-05-09-15-50
+#open	2019-06-06-14-36-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
+1096255084.954975	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.955306	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.955760	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956155	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956577	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.956975	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.957457	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.957903	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.958625	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.959273	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.960065	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.960866	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.961475	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.962222	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255084.962915	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.932911	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.012029	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	2	3	1024.000000	0.000004	0.109238	0.081726	-	-	81.174.128.183	-	1096254668.551001	1096255084.922896	1096255083.809713	1096255083.809760	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.049280	C37jN32gN3y3AZzyf6	192.168.50.50	123	24.123.202.230	123	3	2	2	1024.000000	0.000001	0.030319	0.185547	-	-	198.30.92.2	-	1096252181.259041	1096255084.922896	1096255083.821124	1096255083.821134	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.092991	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	2	2	1024.000000	0.000008	0.060455	7.464310	-	-	17.254.0.49	-	1095788645.064548	1096255084.922896	1096255083.848508	1096255083.848601	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.120557	C0LAHyvtKSQHyJxIl	192.168.50.50	123	65.125.233.206	123	3	2	2	1024.000000	0.000031	0.023254	0.012848	-	-	130.207.244.240	-	1096254901.858123	1096255084.922896	1096255083.828025	1096255083.828189	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.185955	C3eiCBGOLw3VtHfOj	192.168.50.50	123	63.164.62.249	123	3	2	2	1024.000000	0.000001	0.015015	0.037491	-	-	18.145.0.30	-	1096254668.213801	1096255084.922896	1096255083.829249	1096255083.829301	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.223026	CtPZjS20MLrsMUOJi2	192.168.50.50	123	207.234.209.181	123	3	2	3	1024.000000	0.000008	0.072678	0.035049	-	-	198.82.1.203	-	1096254326.189600	1096255084.922896	1096255083.824154	1096255083.824174	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.280949	Ck51lg1bScffFj34Ri	192.168.50.50	123	66.92.68.246	123	3	2	1	1024.000000	0.000015	0.000000	0.000320	-	GPS\x00	-	-	1096255078.223498	1096255084.932911	1096255083.836845	1096255083.836870	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.304774	CP5puj4I8PtEU4qzYg	192.168.50.50	123	24.34.79.42	123	3	2	2	1024.000000	0.000031	0.123322	0.039917	-	-	131.107.1.10	-	1096254970.010788	1096255084.922896	1096255083.825662	1096255083.825692	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.353360	CNnMIj2QSd84NKf7U3	192.168.50.50	123	66.115.136.4	123	3	2	2	1024.000000	0.000008	0.016632	0.028641	-	-	130.207.244.240	-	1096254406.517429	1096255084.932911	1096255083.853291	1096255083.853336	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.406368	CFLRIC3zaTU1loLGxh	192.168.50.50	123	66.33.206.5	123	3	2	2	1024.000000	0.000004	0.012360	0.022202	-	-	192.12.19.20	-	1096255027.694744	1096255084.932911	1096255083.850895	1096255083.850907	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.439833	C9rXSW3KSpTYvPrlI1	192.168.50.50	123	66.33.216.11	123	3	2	2	1024.000000	0.000001	0.009857	0.043747	-	-	204.123.2.72	-	1096254508.255586	1096255084.932911	1096255083.850965	1096255083.851024	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.480955	C9mvWx3ezztgzcexV7	192.168.50.50	123	66.111.46.200	123	3	2	2	1024.000000	0.000001	0.056396	0.062164	-	-	198.30.92.2	-	1096253376.841474	1096255084.932911	1096255083.847619	1096255083.847644	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.522297	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	2	2	1024.000000	0.000015	0.081268	0.029877	-	-	128.10.252.6	-	1096254706.140290	1096255084.922896	1096255083.850451	1096255083.850465	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.562197	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	2	2	1024.000000	0.000004	0.029846	0.045456	-	-	164.67.62.194	-	1096254209.896379	1096255084.922896	1096255083.849099	1096255083.849269	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+1096255085.599961	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	2	1	1024.000000	0.000015	0.000000	0.000504	-	CDMA	-	-	1096255068.944018	1096255084.922896	1096255083.827772	1096255083.828313	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2019-06-06-14-36-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
index be9c6ad425..7fc7a9aede 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
@@ -1,9 +1,9 @@
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, offs=0, c=0, data=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, offs=0, c=0, data=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
 ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
 ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, offs=0, c=0, data=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, offs=0, c=0, data=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, offs=0, c=0, data=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
 ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
index fdfd021186..a441d8397b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
@@ -3,16 +3,16 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-05-09-15-16
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ReqCode	auth_bit	sequence	implementation	err
-#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	bool	count	count	count
-1558603188.282844	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-
-1558603188.283617	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-
-1558603188.286063	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-
-1558603201.135003	ClEkJM2Vm5giqnMf4h	127.0.0.1	57531	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	1	F	-	3	0
-1558603206.793297	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46918	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	42	F	-	3	0
-1558603213.886044	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-
-1558603213.886779	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-
-1558603213.889030	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-
-1558603219.996399	CUM0KZ3MLUfNB0cl11	127.0.0.1	55675	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	1	F	-	3	0
-#close	2019-06-05-09-15-16
+#open	2019-06-06-14-36-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
+1558603188.282844	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	0	(empty)	-	-	-	-	-
+1558603188.283617	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	0	(empty)	-	-	-	-	-
+1558603188.286063	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	0	(empty)	-	-	-	-	-
+1558603201.135003	ClEkJM2Vm5giqnMf4h	127.0.0.1	57531	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	1	F	-	3	0
+1558603206.793297	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46918	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	42	F	-	3	0
+1558603213.886044	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	0	(empty)	-	-	-	-	-
+1558603213.886779	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	0	(empty)	-	-	-	-	-
+1558603213.889030	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	0	(empty)	-	-	-	-	-
+1558603219.996399	CUM0KZ3MLUfNB0cl11	127.0.0.1	55675	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	1	F	-	3	0
+#close	2019-06-06-14-36-41
diff --git a/testing/btest/Traces/ntp/NTP-digest.pcap b/testing/btest/Traces/ntp/NTP-digest.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0e8a262cabee5a7b1c78ecd40915ab0a1c3acf0e
GIT binary patch
literal 5864
zcmb{0eKeF=90%|jGa52NikK}SOl45Wc4W8FyA|ybRuqbrsi=dk%sew*qLjQwVRxmN
zybO71Lv<?JUM4DoR<$EjQd!mZUh=m0cJ>_iFZZAOd(Lyt{oQl__?++WkLNkJ^Ga=z
z8jVRCFD8u+8oD*t?|v|gmH^i9ZLk{f9GiBAZK0l~pWGb*kGt!Q%x2Jj44O(eg)Jzx
z|9f57C_mB7X+rS0=f|6?O?nQtGHJ9)^=C`s{#Lf1>WWqG6u@(6Dcj5Ag@px5ut%5C
zh2fb2eW%KXqGX2@LC(%VWV?los7Zy0USmY(g{?)JP-M?wye^*}^dbD7%NJd*xK0ls
zsv;y(CXb6)Y8cUN;ge`rC_1l9wv>)&-`!>7u!dPV@F)t1cwuBRQkEeiD~#x!aKtPL
zijL-G%!vNX+jc9`F3-X7(WN{f>JKL)vRj6T+$R=Q7>UgH4L}jqICV6AeY*}nH94bT
zP_eTHh>{42q?L#$1S47?TG$3aG<sV7qbbSjl~Jzh0+mP}E`0_>!#l`i#Ir?2c^FZc
zDERU)6xkT){jR8VGuT5he$LcO3e@Lu{i1i05#`TEM1NvL*`mWmE>OgY*>C23^8CDK
zycaP+2O44xfv6^ujOh7sM05iqIx5Qa?S>-Vw9Q#bO>O3y*+<7F&#|;!4MhJ$kr8dK
zLPVc2q8p;~BNw5l)kIv>qp~Rsw3a#=`_rQWfoKLH5vO`wq@jZm^@tR-NGPI4F2z?F
zusFw@wuNLlIu2$5QO+-9GLoesBL2i8*;LVpX9pBz45z9|cbmMO>^;QP?e86`1R^Iw
zB1J1A^2dmH)U*=#*`((#)ym29?JE5^Y4EtK^~`(MfXHMwnT+I2L==q?t)$HBq)^n+
zrSOTUpK?2_ahX=LthGYThU-@?BqQ=KMntDEq6ErkcnFHJSCl^x4BLmW6_s^~TSDbp
zKqQMLBWi9#L=70xAu3R~9*TtJ$pd)}tDhXomW=M3Yf-EXL|+JrQo<0?IgIEqwdHId
z6fIb8r=wv|D2VF(mvSunm_Hqez9%%b0R|#!#)xvLtywZCitrY@9q!-pF2LqZ*dN;?
z1(rZ07m=CT{!~QNjuA;IO8!+;{F$$D=>fIU;_b@qMq}L-OM%E#Ohyzi2NAu%h%QrE
zPVf(yUj1r|OP%3~s}+6Bgx=v5MFBu`j*zHoXk4Vp!ibbqNnIxtX`M)3tF5%S&=TGs
z|CjchxL_dSNXTRql7fiX7||o@wCNKlqBn_Oxmjg}vHjNAvAZ&B5`pM>JQ)$|E+Vp-
zSX9ZNZq2^{Md2BNDXy=dd+f4#9Q`Ix5YY@o50l7<<ckr}c8tiC8dZM@MXa44EXO#D
zn01M^jbkluueAb^J|WSmSVR<q5xI*eIn9Eiwd!RVR>9{4t3o!b>^JZSX|`OygcLFv
z-Pw(Z$}plhv3<i4C^B@tQ?vI#4}Y|o5o6}oU;P~r{dACwsAM%FdWsQU6o<cbf}*_M
zQufWIP3&*vFI-rcL$0p_A|pbgqa%pu6Gqe~jtgZ&(R$7b18X5iL$1E+cH?8~-*y90
zQ!1H^c5WCKO`e4jeG=z~vY@D5+H4i0Y)$5>HVM1a9$J?I(WP`UB5h4X<T0_RiYso>
zUjjwL-bXgvWbRRA$Da5h<?`(MG9ZdfBO@|AjEFojqPgN*L7Sjx&~mnME#=vF?*6FG
zd$;U$N+9yeCL`kaAfkATC_wyqrXCcfr`F%<6sBusy%I|erxfY1?YMp&Ib=j;?TDxv
zBTALb?tKSE?oYoxJ9B30F0K049<K^&1zaGC&m|+WFh)eJ7*VNYu`j$}qc1Q1ZtXI!
zjIBB@{thv1CWT%=RF+3Zl+cfeK4L^2l0b_CP~_dRvBS*6r_tZH#I$?6i9;9=RURWF
zD!4i>($d6;o=F5x??aKF^7=;ex&oh1oI3xs#6_ktK*S-Gktzxi8Dc~qBzvx(gdzpc
z^EywaYgD%NNxbtJdT1OFT_hyhdj}DjO)NT1lO*LELXqm^reC+s+ZCK-?86srcH<ub
zqJn%fQ}gUYM2j$@X_DOgPoc<}QFZVQ#dj6#KmNXSSyy2#5G^SnBQljCA}@?+p`_ON
Y>rKS0Q&-x1r)Zd__imVD>6)wmA4!ipasU7T

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ntp/ntp-digest.test b/testing/btest/scripts/base/protocols/ntp/ntp-digest.test
new file mode 100644
index 0000000000..78d836e117
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ntp/ntp-digest.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: zeek -C -r $TRACES/ntp/NTP-digest.pcap %INPUT
+# @TEST-EXEC: btest-diff ntp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ntp
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message)
+{
+   print fmt("ntp_message %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, msg);
+}
+

From 326ff6f6c0cbea7a9e256653feaf0fd1cc615642 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 6 Jun 2019 15:05:34 -0400
Subject: [PATCH 30/91] Cleaning up indentations and return true.

---
 src/analyzer/protocol/rdp/rdp-analyzer.pac | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 49398ec0a8..b178af5de6 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -106,13 +106,14 @@ refine flow RDP_Flow += {
 		if ( ! rdp_client_security_data )
                         return false;
 	 
-			RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
-			csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
-			csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
-    
-			BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
-								    connection()->bro_analyzer()->Conn(),
-								    csd);
+		RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
+		csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
+		csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
+   
+		BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
+							    connection()->bro_analyzer()->Conn(),
+							    csd);
+		return true;
 		%}
 
 	function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool

From ab4becc454b877d2eb79c80d860cf348b20d0538 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 6 Jun 2019 15:16:47 -0400
Subject: [PATCH 31/91] Adding comments specific to client security data in
 record definition.

---
 scripts/base/init-bare.zeek | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 144c02737f..b399c9b5bd 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4276,8 +4276,11 @@ export {
 		dig_product_id:         string &optional;
 	};
 
+	## The TS_UD_CS_SEC data block contains security-related information used to advertise client cryptographic support.
 	type RDP::ClientSecurityData: record {
+ 		## Cryptographic encryption methods supported by the client and used in conjunction with Standard RDP Security.
 		encryption_methods:	count;
+		## Only used in French locale and designates the encryption method.  If set then encryption methods should be set to 0.
 		ext_encryption_methods:	count;
 	};
 

From 0b5acebfb9dffaaa5c9383d58a47b6aea6800d79 Mon Sep 17 00:00:00 2001
From: Anthony Kasza <ak@corelight.com>
Date: Thu, 6 Jun 2019 13:52:09 -0600
Subject: [PATCH 32/91] add: rdp_native_encrytped_data event

---
 src/analyzer/protocol/rdp/RDP.cc     | 7 ++++++-
 src/analyzer/protocol/rdp/events.bif | 9 +++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc
index f3ceaae699..30c80af5a1 100644
--- a/src/analyzer/protocol/rdp/RDP.cc
+++ b/src/analyzer/protocol/rdp/RDP.cc
@@ -10,7 +10,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c)
 	: tcp::TCP_ApplicationAnalyzer("RDP", c)
 	{
 	interp = new binpac::RDP::RDP_Conn(this);
-	
+
 	had_gap = false;
 	pia = 0;
 	}
@@ -72,6 +72,11 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 			ForwardStream(len, data, orig);
 			}
+		else
+			{
+			BifEvent::generate_rdp_native_encrypted_data(interp->bro_analyzer(),
+				interp->bro_analyzer()->Conn(), orig, len);
+			}
 		}
 	else // if not encrypted
 		{
diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif
index 463e3b8d07..ef9f9d247e 100644
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@@ -1,3 +1,12 @@
+## Generated for each packet after RDP native encryption begins
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## orig: True if the packet was sent by the originator of the connection.
+##
+## len: The length of the encrypted data.
+event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
+
 ## Generated for X.224 client requests.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.

From be091271f72b05e8dbbd8acb0da7dc5da8c7c649 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 6 Jun 2019 18:51:09 -0700
Subject: [PATCH 33/91] Rename Bro to Zeek in Zeekygen-generated documentation

---
 CHANGES                                   |   4 +
 VERSION                                   |   2 +-
 doc                                       |   2 +-
 src/analyzer/protocol/arp/events.bif      |   6 +-
 src/analyzer/protocol/dns/events.bif      |  42 +++---
 src/analyzer/protocol/finger/events.bif   |   8 +-
 src/analyzer/protocol/gnutella/events.bif |  24 ++--
 src/analyzer/protocol/http/events.bif     |  14 +-
 src/analyzer/protocol/icmp/events.bif     |  12 +-
 src/analyzer/protocol/ident/events.bif    |  12 +-
 src/analyzer/protocol/login/events.bif    |  72 +++++-----
 src/analyzer/protocol/mime/events.bif     |  48 +++----
 src/analyzer/protocol/ncp/events.bif      |   8 +-
 src/analyzer/protocol/netbios/events.bif  |  68 ++++-----
 src/analyzer/protocol/ntp/events.bif      |   8 +-
 src/analyzer/protocol/pop3/events.bif     |  28 ++--
 src/analyzer/protocol/rpc/events.bif      | 164 +++++++++++-----------
 src/analyzer/protocol/smb/smb1_events.bif |   2 +-
 src/analyzer/protocol/smb/smb2_events.bif |   2 +-
 src/analyzer/protocol/smtp/events.bif     |   4 +-
 src/analyzer/protocol/ssl/events.bif      |  16 +--
 src/analyzer/protocol/syslog/events.bif   |   2 +-
 src/analyzer/protocol/tcp/events.bif      |  34 +++--
 src/analyzer/protocol/tcp/functions.bif   |   2 +-
 src/bro.bif                               |  58 ++++----
 src/broker/data.bif                       |   2 +-
 src/const.bif                             |   2 +-
 src/event.bif                             | 100 ++++++-------
 src/probabilistic/bloom-filter.bif        |   8 +-
 src/stats.bif                             |   6 +-
 src/strings.bif                           |   2 +-
 src/types.bif                             |   2 +-
 src/zeekygen/zeekygen.bif                 |   4 +-
 33 files changed, 393 insertions(+), 375 deletions(-)

diff --git a/CHANGES b/CHANGES
index cd53f319a5..c2f21a3188 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-387 | 2019-06-06 18:51:09 -0700
+
+  * Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
+
 2.6-386 | 2019-06-06 17:17:55 -0700
 
   * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
diff --git a/VERSION b/VERSION
index dea38bed9a..4192289b6a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-386
+2.6-387
diff --git a/doc b/doc
index 9ca066677c..46801e2b55 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a
+Subproject commit 46801e2b553ae71623710fbc0b67fe76552d4597
diff --git a/src/analyzer/protocol/arp/events.bif b/src/analyzer/protocol/arp/events.bif
index e12d0acd1c..f8c6394455 100644
--- a/src/analyzer/protocol/arp/events.bif
+++ b/src/analyzer/protocol/arp/events.bif
@@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
-## Generated for ARP packets that Bro cannot interpret. Examples are packets
+## Generated for ARP packets that Zeek cannot interpret. Examples are packets
 ## with non-standard hardware address formats or hardware addresses that do not
 ## match the originator of the packet.
 ##
@@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## .. zeek:see:: arp_reply arp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 1113ca2687..ae57219775 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -1,7 +1,7 @@
 ## Generated for all DNS messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ## is raised once for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ## the reply; there's no stateful correlation with the query.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ## Generated for each entry in the Question section of a DNS reply.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -401,7 +401,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -433,7 +433,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
-## that Bro knows how to parse and generate another more specific event.
+## that Zeek knows how to parse and generate another more specific event.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
@@ -451,7 +451,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -474,7 +474,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -565,7 +565,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ## all resource records have been passed on.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -590,6 +590,6 @@ event dns_full_request%(%);
 
 ## msg: The raw DNS payload.
 ##
-## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
 ##    detection framework.
 event non_dns_request%(c: connection, msg: string%);
diff --git a/src/analyzer/protocol/finger/events.bif b/src/analyzer/protocol/finger/events.bif
index d1b9212c22..bc5180b1eb 100644
--- a/src/analyzer/protocol/finger/events.bif
+++ b/src/analyzer/protocol/finger/events.bif
@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: finger_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_request%(c: connection, full: bool, username: string, hostname: string%);
 
@@ -30,9 +30,9 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
 ##
 ## .. zeek:see:: finger_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_reply%(c: connection, reply_line: string%);
 
diff --git a/src/analyzer/protocol/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif
index f09b0890c7..4168646543 100644
--- a/src/analyzer/protocol/gnutella/events.bif
+++ b/src/analyzer/protocol/gnutella/events.bif
@@ -7,9 +7,9 @@
 ##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
 ##
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 
@@ -21,9 +21,9 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 ## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 				ttl: count, hops: count, msg_len: count,
@@ -38,9 +38,9 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_partial_binary_msg%(c: connection, orig: bool,
 					msg: string, len: count%);
@@ -53,9 +53,9 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
 ## .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_establish%(c: connection%);
 
@@ -67,9 +67,9 @@ event gnutella_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_not_establish%(c: connection%);
 
@@ -81,8 +81,8 @@ event gnutella_not_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_http_notify%(c: connection%);
diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif
index f86ee09ccd..60b0880a43 100644
--- a/src/analyzer/protocol/http/events.bif
+++ b/src/analyzer/protocol/http/events.bif
@@ -1,5 +1,5 @@
 
-## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
+## Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a request's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -22,7 +22,7 @@
 ##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
-## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
+## Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a reply's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -43,7 +43,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
 
-## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
+## Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues.
 ##
@@ -67,7 +67,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated for HTTP headers, passing on all headers of an HTTP message at
-## once. Bro supports persistent and pipelined HTTP sessions and raises
+## once. Zeek supports persistent and pipelined HTTP sessions and raises
 ## corresponding events as it parses client/server dialogues.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -92,7 +92,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ## Generated when starting to parse an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event just before it starts parsing each entity's
+## entities. Zeek raises this event just before it starts parsing each entity's
 ## content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -111,7 +111,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ## Generated when finishing parsing an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event at the point when it has finished parsing an
+## entities. Zeek raises this event at the point when it has finished parsing an
 ## entity's content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -181,7 +181,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##    entities.
 event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
 
-## Generated once at the end of parsing an HTTP message. Bro supports persistent
+## Generated once at the end of parsing an HTTP message. Zeek supports persistent
 ## and pipelined HTTP sessions and raises corresponding events as it parses
 ## client/server dialogues. A "message" is one top-level HTTP entity, such as a
 ## complete request or reply. Each message can have further nested sub-entities
diff --git a/src/analyzer/protocol/icmp/events.bif b/src/analyzer/protocol/icmp/events.bif
index ef7d2b7da5..ada3fe48a0 100644
--- a/src/analyzer/protocol/icmp/events.bif
+++ b/src/analyzer/protocol/icmp/events.bif
@@ -1,5 +1,5 @@
 ## Generated for all ICMP messages that are not handled separately with
-## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
+## dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
 ## directly with dedicated events. This event acts as a fallback for those it
 ## doesn't.
 ##
@@ -70,7 +70,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 
 ## Generated for all ICMPv6 error messages that are not handled
-## separately with dedicated events. Bro's ICMP analyzer handles a number
+## separately with dedicated events. Zeek's ICMP analyzer handles a number
 ## of ICMP error messages directly with dedicated events. This event acts
 ## as a fallback for those it doesn't.
 ##
@@ -107,7 +107,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *unreachable*
 ##          includes only a partial IP header for some reason, no
 ##          fields of *context* will be filled out.
@@ -131,7 +131,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Too big* messages should include the original IP header
-##          from the packet that triggered them, and Bro parses that into
+##          from the packet that triggered them, and Zeek parses that into
 ##          the *context* structure. Note that if the *too big* includes only
 ##          a partial IP header for some reason, no fields of *context* will
 ##          be filled out.
@@ -155,7 +155,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *exceeded* includes
 ##          only a partial IP header for some reason, no fields of *context*
 ##          will be filled out.
@@ -179,7 +179,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Parameter problem* messages should include the original
-##          IP header from the packet that triggered them, and Bro parses that
+##          IP header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *parameter problem*
 ##          includes only a partial IP header for some reason, no fields
 ##          of *context* will be filled out.
diff --git a/src/analyzer/protocol/ident/events.bif b/src/analyzer/protocol/ident/events.bif
index ecbf8efee8..d348c0307f 100644
--- a/src/analyzer/protocol/ident/events.bif
+++ b/src/analyzer/protocol/ident/events.bif
@@ -11,9 +11,9 @@
 ##
 ## .. zeek:see:: ident_error ident_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_request%(c: connection, lport: port, rport: port%);
 
@@ -34,9 +34,9 @@ event ident_request%(c: connection, lport: port, rport: port%);
 ##
 ## .. zeek:see:: ident_error  ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
 
@@ -55,9 +55,9 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
 ##
 ## .. zeek:see:: ident_reply ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_error%(c: connection, lport: port, rport: port, line: string%);
 
diff --git a/src/analyzer/protocol/login/events.bif b/src/analyzer/protocol/login/events.bif
index 39921b4c5e..45b82ea11e 100644
--- a/src/analyzer/protocol/login/events.bif
+++ b/src/analyzer/protocol/login/events.bif
@@ -21,9 +21,9 @@
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
 
@@ -48,9 +48,9 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
 
@@ -79,12 +79,12 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeeks's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -114,12 +114,12 @@ event login_failure%(c: connection, user: string, client_user: string, password:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -134,9 +134,9 @@ event login_success%(c: connection, user: string, client_user: string, password:
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_output_line login_prompt login_success login_terminal    rsh_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_input_line%(c: connection, line: string%);
@@ -151,14 +151,14 @@ event login_input_line%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line  login_prompt login_success login_terminal rsh_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_output_line%(c: connection, line: string%);
 
-## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
+## Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
 ## *login* analyzer uses a number of heuristics to extract authentication
 ## information, it may become confused. If it can no longer correctly track
 ## the authentication dialog, it raises this event.
@@ -178,9 +178,9 @@ event login_output_line%(c: connection, line: string%);
 ##    login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
 ##    login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused%(c: connection, msg: string, line: string%);
@@ -199,9 +199,9 @@ event login_confused%(c: connection, msg: string, line: string%);
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
 ##    login_success_msgs login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused_text%(c: connection, line: string%);
@@ -216,9 +216,9 @@ event login_confused_text%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line login_prompt login_success
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_terminal%(c: connection, terminal: string%);
@@ -233,9 +233,9 @@ event login_terminal%(c: connection, terminal: string%);
 ## .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_display%(c: connection, display: string%);
@@ -258,9 +258,9 @@ event login_display%(c: connection, display: string%);
 ##    while :zeek:id:`login_success` heuristically determines success by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_accepted%(name: string, c: connection%);
@@ -283,9 +283,9 @@ event authentication_accepted%(name: string, c: connection%);
 ##    while :zeek:id:`login_success` heuristically determines failure by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_rejected%(name: string, c: connection%);
@@ -304,12 +304,12 @@ event authentication_rejected%(name: string, c: connection%);
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying activity. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_skipped%(c: connection%);
@@ -328,9 +328,9 @@ event authentication_skipped%(c: connection%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line  login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_prompt%(c: connection, prompt: string%);
@@ -380,9 +380,9 @@ event inconsistent_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option%(c: connection%);
@@ -399,9 +399,9 @@ event bad_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option_termination%(c: connection%);
diff --git a/src/analyzer/protocol/mime/events.bif b/src/analyzer/protocol/mime/events.bif
index 1c73e2e69b..2b38d60481 100644
--- a/src/analyzer/protocol/mime/events.bif
+++ b/src/analyzer/protocol/mime/events.bif
@@ -1,9 +1,9 @@
 ## Generated when starting to parse an email MIME entity. MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## begins parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -13,16 +13,16 @@
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_begin_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_begin_entity` instead.
 event mime_begin_entity%(c: connection%);
 
 ## Generated when finishing parsing an email MIME entity.  MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## finished parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -32,7 +32,7 @@ event mime_begin_entity%(c: connection%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_end_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_end_entity` instead.
 event mime_end_entity%(c: connection%);
 
@@ -40,7 +40,7 @@ event mime_end_entity%(c: connection%);
 ## entities.  MIME is a protocol-independent data format for encoding text and
 ## files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -52,7 +52,7 @@ event mime_end_entity%(c: connection%);
 ##    mime_end_entity mime_entity_data mime_event  mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_one_header%(c: connection, h: mime_header_rec%);
 
@@ -60,7 +60,7 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ## headers at once.  MIME is a protocol-independent data format for encoding
 ## text and files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -74,21 +74,21 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_all_headers%(c: connection, hlist: mime_header_list%);
 
 ## Generated for chunks of decoded MIME data from email MIME entities.  MIME
 ## is a protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. As Bro parses the data of an
+## corresponding metadata, for transmission. As Zeek parses the data of an
 ## entity, it raises a sequence of these events, each coming as soon as a new
 ## chunk of data is available. In contrast, there is also
 ## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
 ## in a single block. While the latter is more convenient to handle,
-## ``mime_segment_data`` is more efficient as Bro does not need to buffer
+## ``mime_segment_data`` is more efficient as Zeek does not need to buffer
 ## the data. Thus, if possible, this event should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -102,7 +102,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
 ##    mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
 ##    mime_segment_length mime_segment_overlap_length
 ##
-## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_entity_data` (sic!) instead.
 event mime_segment_data%(c: connection, length: count, data: string%);
 
@@ -111,10 +111,10 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
 ## which passes on a sequence of data chunks as they come in. While
 ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
-## more efficient as Bro does not need to buffer the data. Thus, if possible,
+## more efficient as Zeek does not need to buffer the data. Thus, if possible,
 ## the latter should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -127,7 +127,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity  mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_entity_data%(c: connection, length: count, data: string%);
 
@@ -137,7 +137,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## of the potentially significant buffering necessary, using this event can be
 ## expensive.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -150,13 +150,13 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_all_data%(c: connection, length: count, data: string%);
 
 ## Generated for errors found when decoding email MIME entities.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -170,15 +170,15 @@ event mime_all_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_event` instead.
 event mime_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated for decoded MIME entities extracted from email messages, passing on
-## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
+## their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
 ## each MIME entity.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -191,7 +191,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
 
diff --git a/src/analyzer/protocol/ncp/events.bif b/src/analyzer/protocol/ncp/events.bif
index 05da060658..d7b87d2e27 100644
--- a/src/analyzer/protocol/ncp/events.bif
+++ b/src/analyzer/protocol/ncp/events.bif
@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: ncp_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
 
@@ -38,9 +38,9 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
 ##
 ## .. zeek:see:: ncp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
 
diff --git a/src/analyzer/protocol/netbios/events.bif b/src/analyzer/protocol/netbios/events.bif
index ed51264e92..6d109368f4 100644
--- a/src/analyzer/protocol/netbios/events.bif
+++ b/src/analyzer/protocol/netbios/events.bif
@@ -1,10 +1,10 @@
-## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
+## Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -21,22 +21,22 @@
 ##    netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
 
-## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -49,22 +49,22 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_request%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *positive session response*. Bro's
+## Generated for NetBIOS messages of type *positive session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -77,22 +77,22 @@ event netbios_session_request%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_accepted%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *negative session response*. Bro's
+## Generated for NetBIOS messages of type *negative session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -105,12 +105,12 @@ event netbios_session_accepted%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_rejected%(c: connection, msg: string%);
 
@@ -122,7 +122,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -137,25 +137,25 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event. In fact, it's probably an odd event
 ##    to have to begin with.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 
-## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -168,24 +168,24 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 ##    netbios_session_request decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
+## Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -198,12 +198,12 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_keepalive%(c: connection, msg: string%);
 
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
index d32d680799..1fc95d9f32 100644
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -1,4 +1,4 @@
-## Generated for all NTP messages. Different from many other of Bro's events,
+## Generated for all NTP messages. Different from many other of Zeek's events,
 ## this one is generated for both client-side and server-side messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
@@ -8,14 +8,14 @@
 ##
 ## msg: The parsed NTP message.
 ##
-## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
+## excess: The raw bytes of any optional parts of the NTP packet. Zeek does not
 ##         further parse any optional fields.
 ##
 ## .. zeek:see:: ntp_session_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
 
diff --git a/src/analyzer/protocol/pop3/events.bif b/src/analyzer/protocol/pop3/events.bif
index c51632b6c2..7f06008a88 100644
--- a/src/analyzer/protocol/pop3/events.bif
+++ b/src/analyzer/protocol/pop3/events.bif
@@ -15,9 +15,9 @@
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_request%(c: connection, is_orig: bool,
 			command: string, arg: string%);
@@ -42,9 +42,9 @@ event pop3_request%(c: connection, is_orig: bool,
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 
@@ -65,9 +65,9 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_data%(c: connection, is_orig: bool, data: string%);
 
@@ -88,9 +88,9 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
 ##
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_unexpected%(c: connection, is_orig: bool,
 			msg: string, detail: string%);
@@ -108,9 +108,9 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_request pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_starttls%(c: connection%);
 
@@ -131,9 +131,9 @@ event pop3_starttls%(c: connection%);
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_success%(c: connection, is_orig: bool,
 				user: string, password: string%);
@@ -155,9 +155,9 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_failure%(c: connection, is_orig: bool,
 				user: string, password: string%);
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index fd6331360d..9b96dcb9de 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -15,9 +15,9 @@
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 
@@ -43,9 +43,9 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
 
@@ -71,9 +71,9 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
 
@@ -99,9 +99,9 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
 
@@ -127,9 +127,9 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##    NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
 
@@ -155,9 +155,9 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
 
@@ -183,9 +183,9 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -211,9 +211,9 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    nfs_proc_symlink rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
 
@@ -240,9 +240,9 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
 ##    rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
 ##    NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
 
@@ -268,9 +268,9 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -296,9 +296,9 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -324,9 +324,9 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -352,9 +352,9 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -380,9 +380,9 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
 ##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
 
@@ -408,13 +408,13 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
 
-## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3
+## Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
 ## analyzer does not implement.
 ##
 ## NFS is a service running on top of RPC. See `Wikipedia
@@ -425,15 +425,15 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
 ##    nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
 
@@ -449,9 +449,9 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 
@@ -468,9 +468,9 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_null%(r: connection%);
 
@@ -493,9 +493,9 @@ event pm_request_null%(r: connection%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 
@@ -518,9 +518,9 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 
@@ -541,9 +541,9 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 
@@ -563,9 +563,9 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_dump%(r: connection, m: pm_mappings%);
 
@@ -587,9 +587,9 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 
@@ -610,9 +610,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_null%(r: connection, status: rpc_status%);
 
@@ -635,9 +635,9 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -660,9 +660,9 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -684,9 +684,9 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
 
@@ -707,9 +707,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
 ##    pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_dump%(r: connection, status: rpc_status%);
 
@@ -732,9 +732,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
 ##    pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
 
@@ -757,9 +757,9 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
 ##    pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_bad_port%(r: connection, bad_p: count%);
 
@@ -792,9 +792,9 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
@@ -819,9 +819,9 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
 ## .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
@@ -843,9 +843,9 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ## .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
@@ -862,9 +862,9 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 
@@ -885,9 +885,9 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
 
@@ -905,9 +905,9 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
@@ -925,27 +925,27 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
-## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
+## Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
 ## analyzer does not implement.
 ##
 ## c: The RPC connection.
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
 
@@ -959,8 +959,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_reply_status%(n: connection, info: MOUNT3::info_t%);
diff --git a/src/analyzer/protocol/smb/smb1_events.bif b/src/analyzer/protocol/smb/smb1_events.bif
index e5134b8bd0..c797f21ff5 100644
--- a/src/analyzer/protocol/smb/smb1_events.bif
+++ b/src/analyzer/protocol/smb/smb1_events.bif
@@ -2,7 +2,7 @@
 ## messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
diff --git a/src/analyzer/protocol/smb/smb2_events.bif b/src/analyzer/protocol/smb/smb2_events.bif
index 7f7d6ab9db..2071a0600e 100644
--- a/src/analyzer/protocol/smb/smb2_events.bif
+++ b/src/analyzer/protocol/smb/smb2_events.bif
@@ -2,7 +2,7 @@
 ## version 2 messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.
diff --git a/src/analyzer/protocol/smtp/events.bif b/src/analyzer/protocol/smtp/events.bif
index 9bc9190b31..3dfd82b75e 100644
--- a/src/analyzer/protocol/smtp/events.bif
+++ b/src/analyzer/protocol/smtp/events.bif
@@ -20,7 +20,7 @@
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data smtp_reply
 ##
-## .. note:: Bro does not support the newer ETRN extension yet.
+## .. note:: Zeek does not support the newer ETRN extension yet.
 event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
 
 ## Generated for server-side SMTP commands.
@@ -51,7 +51,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data  smtp_request
 ##
-## .. note:: Bro doesn't support the newer ETRN extension yet.
+## .. note:: Zeek doesn't support the newer ETRN extension yet.
 event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
 
 ## Generated for DATA transmitted on SMTP sessions. This event is raised for
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index e00dd83cc6..8c2ee98899 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -1,5 +1,5 @@
 ## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -38,7 +38,7 @@
 event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -80,11 +80,11 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
 event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
-## sessions start with an unencrypted handshake, and Bro extracts as much
+## sessions start with an unencrypted handshake, and Zeek extracts as much
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
-## Note that Bro offers more specialized events for a few extensions.
+## Note that Zeek offers more specialized events for a few extensions.
 ##
 ## c: The connection.
 ##
@@ -385,7 +385,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
 ## handshake and its endpoints consider it as fully established. Typically,
 ## everything from now on will be encrypted.
@@ -400,7 +400,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes:
 event ssl_established%(c: connection%);
 
 ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
-## unencrypted handshake, and Bro extracts as much information out of that as
+## unencrypted handshake, and Zeek extracts as much information out of that as
 ## it can. If during that handshake, an endpoint encounters a fatal error, it
 ## sends an *alert* record, that in turn triggers this event. After an *alert*,
 ## any endpoint may close the connection immediately.
@@ -424,7 +424,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 
 ## Generated for SSL/TLS handshake messages that are a part of the
 ## stateless-server session resumption mechanism. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event is raised when an SSL/TLS server passes a session
 ## ticket to the client that can later be used for resuming the session. The
 ## mechanism is described in :rfc:`4507`.
@@ -468,7 +468,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ## Generated for SSL/TLS messages that are sent before full session encryption
 ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
 ## here this event will be raised for early packets that are already using
-## pre-encryption.  # This event is also used by Bro internally to determine if
+## pre-encryption.  # This event is also used by Zeek internally to determine if
 ## the connection has been completely setup. This is necessary as TLS 1.3 does
 ## not have CCS anymore.
 ##
diff --git a/src/analyzer/protocol/syslog/events.bif b/src/analyzer/protocol/syslog/events.bif
index f82adc7e69..2c4e3d9775 100644
--- a/src/analyzer/protocol/syslog/events.bif
+++ b/src/analyzer/protocol/syslog/events.bif
@@ -12,6 +12,6 @@
 ##
 ## msg: The message logged.
 ##
-## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
+## .. note:: Zeek currently parses only UDP syslog traffic. Support for TCP
 ##    syslog will be added soon.
 event syslog_message%(c: connection, facility: count, severity: count, msg: string%);
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index 72cf44c243..032e8f614f 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -1,6 +1,6 @@
 
 ## Generated when reassembly starts for a TCP connection. This event is raised
-## at the moment when Bro's TCP analyzer enables stream reassembly for a
+## at the moment when Zeek's TCP analyzer enables stream reassembly for a
 ## connection.
 ##
 ## c: The connection.
@@ -47,8 +47,8 @@ event connection_attempt%(c: connection%);
 ##    new_connection new_connection_contents partial_connection
 event connection_established%(c: connection%);
 
-## Generated for a new active TCP connection if Bro did not see the initial
-## handshake. This event is raised when Bro has observed traffic from each
+## Generated for a new active TCP connection if Zeek did not see the initial
+## handshake. This event is raised when Zeek has observed traffic from each
 ## endpoint, but the activity did not begin with the usual connection
 ## establishment.
 ##
@@ -65,7 +65,7 @@ event partial_connection%(c: connection%);
 
 ## Generated when a previously inactive endpoint attempts to close a TCP
 ## connection via a normal FIN handshake or an abort RST sequence. When the
-## endpoint sent one of these packets, Bro waits
+## endpoint sent one of these packets, Zeek waits
 ## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
 ## the other endpoint a chance to close the connection normally.
 ##
@@ -94,7 +94,7 @@ event connection_finished%(c: connection%);
 
 ## Generated when one endpoint of a TCP connection attempted to gracefully close
 ## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
-## happen due to split routing, in which Bro only sees one side of a connection.
+## happen due to split routing, in which Zeek only sees one side of a connection.
 ##
 ## c: The connection.
 ##
@@ -123,7 +123,7 @@ event connection_half_finished%(c: connection%);
 ##
 ##    If the responder does not respond at all, :zeek:id:`connection_attempt` is
 ##    raised instead. If the responder initially accepts the connection but
-##    aborts it later, Bro first generates :zeek:id:`connection_established`
+##    aborts it later, Zeek first generates :zeek:id:`connection_established`
 ##    and then :zeek:id:`connection_reset`.
 event connection_rejected%(c: connection%);
 
@@ -142,7 +142,7 @@ event connection_rejected%(c: connection%);
 ##    partial_connection
 event connection_reset%(c: connection%);
 
-## Generated for each still-open TCP connection when Bro terminates.
+## Generated for each still-open TCP connection when Zeek terminates.
 ##
 ## c: The connection.
 ##
@@ -154,7 +154,7 @@ event connection_reset%(c: connection%);
 ##    new_connection new_connection_contents partial_connection zeek_done
 event connection_pending%(c: connection%);
 
-## Generated for a SYN packet. Bro raises this event for every SYN packet seen
+## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
 ## by its TCP analyzer.
 ##
 ## c: The connection.
@@ -283,11 +283,25 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
 ##    application-layer protocol analyzers internally. Subsequent invocations of
 ##    this event for the same connection receive non-overlapping in-order chunks
 ##    of its TCP payload stream. It is however undefined what size each chunk
-##    has; while Bro passes the data on as soon as possible, specifics depend on
+##    has; while Zeek passes the data on as soon as possible, specifics depend on
 ##    network-level effects such as latency, acknowledgements, reordering, etc.
 event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
 
-## TODO.
+## Generated for each detected TCP segment retransmission.
+##
+## c: The connection the packet is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## seq: The segment's relative TCP sequence number.
+##
+## len: The length of the TCP segment, as specified in the packet header.
+##
+## data_in_flight: The number of bytes corresponding to the difference between
+##                 the last sequence number and last acknowledgement number
+##                 we've seen for a given endpoint.
+##
+## window: the TCP window size.
 event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
 
 ## Generated if a TCP flow crosses a checksum-error threshold, per
diff --git a/src/analyzer/protocol/tcp/functions.bif b/src/analyzer/protocol/tcp/functions.bif
index c74c7ef9b5..af8a894137 100644
--- a/src/analyzer/protocol/tcp/functions.bif
+++ b/src/analyzer/protocol/tcp/functions.bif
@@ -77,7 +77,7 @@ function get_resp_seq%(cid: conn_id%): count
 ##              responder (often the server).
 ##            - ``CONTENTS_BOTH``: Record the data sent in both directions.
 ##              Results in the two directions being intermixed in the file,
-##              in the order the data was seen by Bro.
+##              in the order the data was seen by Zeek.
 ##
 ## f: The file handle of the file to write the contents to.
 ##
diff --git a/src/bro.bif b/src/bro.bif
index 038ca48862..10f9bfa4bd 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -4,7 +4,7 @@
 ##! filtering, interprocess communication and controlling protocol analyzer
 ##! behavior.
 ##!
-##! You'll find most of Bro's built-in functions that aren't protocol-specific
+##! You'll find most of Zeek's built-in functions that aren't protocol-specific
 ##! in this file.
 
 %%{ // C segment
@@ -304,7 +304,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
 ## Returns the current wall-clock time.
 ##
 ## In general, you should use :zeek:id:`network_time` instead
-## unless you are using Bro for non-networking uses (such as general
+## unless you are using Zeek for non-networking uses (such as general
 ## scripting; not particularly recommended), because otherwise your script
 ## may behave very differently on live traffic versus played-back traffic
 ## from a save file.
@@ -364,7 +364,7 @@ function setenv%(var: string, val: string%): bool
 	return val_mgr->GetBool(1);
 	%}
 
-## Shuts down the Bro process immediately.
+## Shuts down the Zeek process immediately.
 ##
 ## code: The exit code to return with.
 ##
@@ -375,12 +375,12 @@ function exit%(code: int%): any
 	return 0;
 	%}
 
-## Gracefully shut down Bro by terminating outstanding processing.
+## Gracefully shut down Zeek by terminating outstanding processing.
 ##
-## Returns: True after successful termination and false when Bro is still in
+## Returns: True after successful termination and false when Zeek is still in
 ##          the process of shutting down.
 ##
-## .. zeek:see:: exit bro_is_terminating
+## .. zeek:see:: exit zeek_is_terminating
 function terminate%(%): bool
 	%{
 	if ( terminating )
@@ -600,7 +600,7 @@ function sha256_hash%(...%): string
 	%}
 
 ## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
-## secret key is generated from available entropy when Bro starts up, or it can
+## secret key is generated from available entropy when Zeek starts up, or it can
 ## be specified for repeatability using the ``-K`` command line flag.
 ##
 ## Returns: The HMAC-MD5 hash value of the concatenated arguments.
@@ -893,7 +893,7 @@ function syslog%(s: string%): any
 	return 0;
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data to find the MIME type for.
@@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 	return new StringVal(strongest_match);
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data for which to find matching MIME types.
@@ -1705,7 +1705,7 @@ function log10%(d: double%): double
 # ===========================================================================
 
 ## Determines whether a connection has been received externally. For example,
-## Broccoli or the Time Machine can send packets to Bro via a mechanism that is
+## Broccoli or the Time Machine can send packets to Zeek via a mechanism that is
 ## one step lower than sending events. This function checks whether the packets
 ## of a connection stem from one of these external *packet sources*.
 ##
@@ -1726,9 +1726,9 @@ function current_analyzer%(%) : count
 	return val_mgr->GetCount(mgr.CurrentAnalyzer());
 	%}
 
-## Returns Bro's process ID.
+## Returns Zeek's process ID.
 ##
-## Returns: Bro's process ID.
+## Returns: Zeek's process ID.
 function getpid%(%) : count
 	%{
 	return val_mgr->GetCount(getpid());
@@ -1780,7 +1780,7 @@ function record_type_to_vector%(rt: string%): string_vec
 	return result;
 	%}
 
-## Returns the type name of an arbitrary Bro variable.
+## Returns the type name of an arbitrary Zeek variable.
 ##
 ## t: An arbitrary object.
 ##
@@ -1796,9 +1796,9 @@ function type_name%(t: any%): string
 	return new StringVal(s);
 	%}
 
-## Checks whether Bro reads traffic from one or more network interfaces (as
+## Checks whether Zeek reads traffic from one or more network interfaces (as
 ## opposed to from a network trace in a file). Note that this function returns
-## true even after Bro has stopped reading network traffic, for example due to
+## true even after Zeek has stopped reading network traffic, for example due to
 ## receiving a termination signal.
 ##
 ## Returns: True if reading traffic from a network interface.
@@ -1809,7 +1809,7 @@ function reading_live_traffic%(%): bool
 	return val_mgr->GetBool(reading_live);
 	%}
 
-## Checks whether Bro reads traffic from a trace file (as opposed to from a
+## Checks whether Zeek reads traffic from a trace file (as opposed to from a
 ## network interface).
 ##
 ## Returns: True if reading traffic from a network trace.
@@ -2098,9 +2098,9 @@ function zeek_is_terminating%(%): bool
 	return val_mgr->GetBool(terminating);
 	%}
 
-## Returns the hostname of the machine Bro runs on.
+## Returns the hostname of the machine Zeek runs on.
 ##
-## Returns: The hostname of the machine Bro runs on.
+## Returns: The hostname of the machine Zeek runs on.
 function gethostname%(%) : string
 	%{
 	char buffer[MAXHOSTNAMELEN];
@@ -3911,7 +3911,7 @@ static bool mmdb_try_open_asn ()
 %%}
 
 ## Initializes MMDB for later use of lookup_location.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind City or Country DB.
 ##
@@ -3928,7 +3928,7 @@ function mmdb_open_location_db%(f: string%) : bool
 	%}
 
 ## Initializes MMDB for later use of lookup_asn.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind ASN DB.
 ##
@@ -3945,7 +3945,7 @@ function mmdb_open_asn_db%(f: string%) : bool
 	%}
 
 ## Performs a geo-lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4030,7 +4030,7 @@ function lookup_location%(a: addr%) : geo_location
 	%}
 
 ## Performs an ASN lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4248,8 +4248,8 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 	return val_mgr->GetBool(1);
 	%}
 
-## Informs Bro that it should skip any further processing of the contents of
-## a given connection. In particular, Bro will refrain from reassembling the
+## Informs Zeek that it should skip any further processing of the contents of
+## a given connection. In particular, Zeek will refrain from reassembling the
 ## TCP byte stream and from generating events relating to any analyzers that
 ## have been processing the connection.
 ##
@@ -4260,7 +4260,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 ##
 ## .. note::
 ##
-##     Bro will still generate connection-oriented events such as
+##     Zeek will still generate connection-oriented events such as
 ##     :zeek:id:`connection_finished`.
 function skip_further_processing%(cid: conn_id%): bool
 	%{
@@ -4287,7 +4287,7 @@ function skip_further_processing%(cid: conn_id%): bool
 ##
 ## .. note::
 ##
-##     This is independent of whether Bro processes the packets of this
+##     This is independent of whether Zeek processes the packets of this
 ##     connection, which is controlled separately by
 ##     :zeek:id:`skip_further_processing`.
 ##
@@ -4671,7 +4671,7 @@ function file_size%(f: string%) : double
 
 ## Disables sending :zeek:id:`print_hook` events to remote peers for a given
 ## file. In a
-## distributed setup, communicating Bro instances generate the event
+## distributed setup, communicating Zeek instances generate the event
 ## :zeek:id:`print_hook` for each print statement and send it to the remote
 ## side. When disabled for a particular file, these events will not be
 ## propagated to other peers.
@@ -4958,7 +4958,7 @@ function is_remote_event%(%) : bool
 	return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
 	%}
 
-## Stops Bro's packet processing. This function is used to synchronize
+## Stops Zeek's packet processing. This function is used to synchronize
 ## distributed trace processing with communication enabled
 ## (*pseudo-realtime* mode).
 ##
@@ -4969,7 +4969,7 @@ function suspend_processing%(%) : any
 	return 0;
 	%}
 
-## Resumes Bro's packet processing.
+## Resumes Zeek's packet processing.
 ##
 ## .. zeek:see:: suspend_processing
 function continue_processing%(%) : any
diff --git a/src/broker/data.bif b/src/broker/data.bif
index 53ce5d506c..2c3f922e1d 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -8,7 +8,7 @@
 module Broker;
 
 ## Enumerates the possible types that :zeek:see:`Broker::Data` may be in
-## terms of Bro data types.
+## terms of Zeek data types.
 enum DataType %{
 	NONE,
 	BOOL,
diff --git a/src/const.bif b/src/const.bif
index 9da5950259..c20615892d 100644
--- a/src/const.bif
+++ b/src/const.bif
@@ -1,4 +1,4 @@
-##! Declaration of various scripting-layer constants that the Bro core uses
+##! Declaration of various scripting-layer constants that the Zeek core uses
 ##! internally.  Documentation and default values for the scripting-layer
 ##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
 
diff --git a/src/event.bif b/src/event.bif
index 549f1b35fc..589ff61201 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -1,4 +1,4 @@
-##! The protocol-independent events that the C/C++ core of Bro can generate.
+##! The protocol-independent events that the C/C++ core of Zeek can generate.
 ##!
 ##! This is mostly events not related to a specific transport- or
 ##! application-layer protocol, but also includes a few that may be generated
@@ -68,7 +68,7 @@ event zeek_done%(%);
 event bro_done%(%) &deprecated;
 
 ## Generated for every new connection. This event is raised with the first
-## packet of a previously unknown connection. Bro uses a flow-based definition
+## packet of a previously unknown connection. Zeek uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and
 ## ICMP flows.
 ##
@@ -94,7 +94,7 @@ event new_connection%(c: connection%);
 ## *tunnel* field is NOT automatically/internally assigned to the new
 ## encapsulation value of *e* after this event is raised.  If the desired
 ## behavior is to track the latest tunnel encapsulation per-connection,
-## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
+## then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
 ## default scripts are doing).
 ##
 ## c: The connection whose tunnel/encapsulation changed.
@@ -128,7 +128,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
 event connection_timeout%(c: connection%);
 
 ## Generated when a connection's internal state is about to be removed from
-## memory. Bro generates this event reliably once for every connection when it
+## memory. Zeek generates this event reliably once for every connection when it
 ## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
@@ -145,7 +145,7 @@ event connection_timeout%(c: connection%);
 ##    tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
 event connection_state_remove%(c: connection%);
 
-## Generated when a connection 4-tuple is reused. This event is raised when Bro
+## Generated when a connection 4-tuple is reused. This event is raised when Zeek
 ## sees a new TCP session or UDP flow using a 4-tuple matching that of an
 ## earlier connection it still considers active.
 ##
@@ -188,7 +188,7 @@ event connection_status_update%(c: connection%);
 event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
 
 ## Generated for a new connection received from the communication subsystem.
-## Remote peers can inject packets into Bro's packet loop, for example via
+## Remote peers can inject packets into Zeek's packet loop, for example via
 ## Broccoli.  The communication system
 ## raises this event with the first packet of a connection coming in this way.
 ##
@@ -198,7 +198,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
 event connection_external%(c: connection, tag: string%);
 
 ## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
+## Zeek's application-layer UDP analyzers flag the end of a session by raising
 ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
 ## Teredo, and GTPv1 support this.
 ##
@@ -208,7 +208,7 @@ event connection_external%(c: connection, tag: string%);
 event udp_session_done%(u: connection%);
 
 ## Generated when a connection is seen that is marked as being expected.
-## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a
+## The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
 ## particular connection to come up, and which analyzer to associate with it.
 ## Once the first packet of such a connection is indeed seen, this event is
 ## raised.
@@ -231,7 +231,7 @@ event udp_session_done%(u: connection%);
 ##    ``ANALYZER_*`` constants right now.
 event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 
-## Generated for every packet Bro sees that have a valid link-layer header. This
+## Generated for every packet Zeek sees that have a valid link-layer header. This
 ## is a very very low-level and expensive event that should be avoided when at all
 ## possible. It's usually infeasible to handle when processing even medium volumes
 ## of traffic in real-time. That said, if you work from a trace and want to do some
@@ -242,7 +242,7 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 ## .. zeek:see:: new_packet packet_contents
 event raw_packet%(p: raw_pkt_hdr%);
 
-## Generated for all packets that make it into Bro's connection processing. In
+## Generated for all packets that make it into Zeek's connection processing. In
 ## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
 ## pass certain sanity checks.
 ##
@@ -298,8 +298,8 @@ event mobile_ipv6_message%(p: pkt_hdr%);
 ## .. zeek:see:: new_packet tcp_packet
 event packet_contents%(c: connection, contents: string%);
 
-## Generated when Bro detects a TCP retransmission inconsistency. When
-## reassembling a TCP stream, Bro buffers all payload until it sees the
+## Generated when Zeek detects a TCP retransmission inconsistency. When
+## reassembling a TCP stream, Zeek buffers all payload until it sees the
 ## responder acking it. If during that time, the sender resends a chunk of
 ## payload but with different content than originally, this event will be
 ## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
@@ -320,10 +320,10 @@ event packet_contents%(c: connection, contents: string%);
 ## .. zeek:see:: tcp_rexmit tcp_contents
 event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
 
-## Generated when Bro detects a gap in a reassembled TCP payload stream. This
-## event is raised when Bro, while reassembling a payload stream, determines
+## Generated when Zeek detects a gap in a reassembled TCP payload stream. This
+## event is raised when Zeek, while reassembling a payload stream, determines
 ## that a chunk of payload is missing (e.g., because the responder has already
-## acknowledged it, even though Bro didn't see it).
+## acknowledged it, even though Zeek didn't see it).
 ##
 ## c: The connection.
 ##
@@ -343,7 +343,7 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: st
 event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 
 ## Generated when a protocol analyzer confirms that a connection is indeed
-## using that protocol. Bro's dynamic protocol detection heuristically activates
+## using that protocol. Zeek's dynamic protocol detection heuristically activates
 ## analyzers as soon as it believes a connection *could* be using a particular
 ## protocol. It is then left to the corresponding analyzer to verify whether
 ## that is indeed the case; if so, this event will be generated.
@@ -364,13 +364,13 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to determine the ``service`` column
+##    Zeek's default scripts use this event to determine the ``service`` column
 ##    of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
 ##    there (and thus in ``conn.log``).
 event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 
 ## Generated when a protocol analyzer determines that a connection it is parsing
-## is not conforming to the protocol it expects. Bro's dynamic protocol
+## is not conforming to the protocol it expects. Zeek's dynamic protocol
 ## detection heuristically activates analyzers as soon as it believes a
 ## connection *could* be using a particular protocol. It is then left to the
 ## corresponding analyzer to verify whether that is indeed the case; if not,
@@ -394,14 +394,14 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to disable an analyzer via
+##    Zeek's default scripts use this event to disable an analyzer via
 ##    :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
 ##    however a script-level decision and not done automatically by the event
 ##    engine.
 event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
 
 ## Generated when a TCP connection terminated, passing on statistics about the
-## two endpoints. This event is always generated when Bro flushes the internal
+## two endpoints. This event is always generated when Zeek flushes the internal
 ## connection state, independent of how a connection terminates.
 ##
 ## c: The connection.
@@ -414,12 +414,12 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 
 ## Generated for unexpected activity related to a specific connection.  When
-## Bro's packet analysis encounters activity that does not conform to a
+## Zeek's packet analysis encounters activity that does not conform to a
 ## protocol's specification, it raises one of the ``*_weird`` events to report
 ## that. This event is raised if the activity is tied directly to a specific
 ## connection.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -436,13 +436,13 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 event conn_weird%(name: string, c: connection, addl: string%);
 
 ## Generated for unexpected activity related to a pair of hosts, but independent
-## of a specific connection.  When Bro's packet analysis encounters activity
+## of a specific connection.  When Zeek's packet analysis encounters activity
 ## that does not conform to a protocol's specification, it raises one of
 ## the ``*_weird`` events to report that. This event is raised if the activity
 ## is related to a pair of hosts, yet not to a specific connection between
 ## them.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -459,12 +459,12 @@ event conn_weird%(name: string, c: connection, addl: string%);
 event flow_weird%(name: string, src: addr, dst: addr%);
 
 ## Generated for unexpected activity that is not tied to a specific connection
-## or pair of hosts. When Bro's packet analysis encounters activity that
+## or pair of hosts. When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that. This event is raised if the activity is
 ## not tied directly to a specific connection or pair of hosts.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -477,11 +477,11 @@ event flow_weird%(name: string, src: addr, dst: addr%);
 event net_weird%(name: string%);
 
 ## Generated for unexpected activity that is tied to a file.
-## When Bro's packet analysis encounters activity that
+## When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -497,11 +497,11 @@ event net_weird%(name: string%);
 ##    endpoint's implementation interprets an RFC quite liberally.
 event file_weird%(name: string, f: fa_file, addl: string%);
 
-## Generated regularly for the purpose of profiling Bro's processing. This event
+## Generated regularly for the purpose of profiling Zeek's processing. This event
 ## is raised for every :zeek:id:`load_sample_freq` packet. For these packets,
-## Bro records script-level functions executed during their processing as well
+## Zeek records script-level functions executed during their processing as well
 ## as further internal locations. By sampling the processing in this form, one
-## can understand where Bro spends its time.
+## can understand where Zeek spends its time.
 ##
 ## samples: A set with functions and locations seen during the processing of
 ##          the sampled packet.
@@ -511,13 +511,13 @@ event file_weird%(name: string, f: fa_file, addl: string%);
 ## dmem: The difference in memory usage caused by processing the sampled packet.
 event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 
-## Generated when a signature matches. Bro's signature engine provides
+## Generated when a signature matches. Zeek's signature engine provides
 ## high-performance pattern matching separately from the normal script
 ## processing. If a signature with an ``event`` action matches, this event is
 ## raised.
 ##
 ## See the :doc:`user manual </frameworks/signatures>` for more information
-## about Bro's signature engine.
+## about Zeek's signature engine.
 ##
 ## state: Context about the match, including which signatures triggered the
 ##        event and the connection for which the match was found.
@@ -525,7 +525,7 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 ## msg: The message passed to the ``event`` signature action.
 ##
 ## data: The last chunk of input that triggered the match. Note that the
-##       specifics here are not well-defined as Bro does not buffer any input.
+##       specifics here are not well-defined as Zeek does not buffer any input.
 ##       If a match is split across packet boundaries, only the last chunk
 ##       triggering the match will be passed on to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
@@ -572,7 +572,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## different analyzers. For example, the HTTP analyzer reports user-agent and
 ## server software by raising this event. Different from
 ## :zeek:id:`software_version_found`  and :zeek:id:`software_parse_error`, this
-## event is always raised, independent of whether Bro can parse the version
+## event is always raised, independent of whether Zeek can parse the version
 ## string.
 ##
 ## c: The connection.
@@ -584,7 +584,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## .. zeek:see:: software_parse_error software_version_found OS_version_found
 event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 
-## Generated when an operating system has been fingerprinted. Bro uses `p0f
+## Generated when an operating system has been fingerprinted. Zeek uses `p0f
 ## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
 ## and it raises this event for each system identified. The p0f fingerprints are
 ## defined by :zeek:id:`passive_fingerprint_file`.
@@ -600,7 +600,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 ##    generate_OS_version_event
 event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 
-## Generated each time Bro's internal profiling log is updated. The file is
+## Generated each time Zeek's internal profiling log is updated. The file is
 ## defined by :zeek:id:`profiling_file`, and its update frequency by
 ## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
 ##
@@ -612,7 +612,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 ## .. zeek:see::  profiling_interval expensive_profiling_multiple
 event profiling_update%(f: file, expensive: bool%);
 
-## Raised for informational messages reported via Bro's reporter framework. Such
+## Raised for informational messages reported via Zeek's reporter framework. Such
 ## messages may be generated internally by the event engine and also by other
 ## scripts calling :zeek:id:`Reporter::info`.
 ##
@@ -626,12 +626,12 @@ event profiling_update%(f: file, expensive: bool%);
 ## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for warnings reported via Bro's reporter framework. Such messages may
+## Raised for warnings reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::warning`.
 ##
@@ -645,12 +645,12 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for errors reported via Bro's reporter framework. Such messages may
+## Raised for errors reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::error`.
 ##
@@ -664,7 +664,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_error%(t: time, msg: string, location: string%) &error_handler;
@@ -680,7 +680,7 @@ event zeek_script_loaded%(path: string, level: count%);
 ## Deprecated synonym for :zeek:see:`zeek_script_loaded`.
 event bro_script_loaded%(path: string, level: count%) &deprecated;
 
-## Generated each time Bro's script interpreter opens a file. This event is
+## Generated each time Zeek's script interpreter opens a file. This event is
 ## triggered only for files opened via :zeek:id:`open`, and in particular not for
 ## normal log files as created by log writers.
 ##
@@ -796,7 +796,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 event file_state_remove%(f: fa_file%);
 
 ## Generated when an internal DNS lookup produces the same result as last time.
-## Bro keeps an internal DNS cache for host names and IP addresses it has
+## Zeek keeps an internal DNS cache for host names and IP addresses it has
 ## already resolved. This event is generated when a subsequent lookup returns
 ## the same result as stored in the cache.
 ##
@@ -807,7 +807,7 @@ event file_state_remove%(f: fa_file%);
 event dns_mapping_valid%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup got no answer even though it had
-## succeeded in the past. Bro keeps an internal DNS cache for host names and IP
+## succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a
 ## subsequent lookup does not produce an answer even though we have
 ## already stored a result in the cache.
@@ -819,7 +819,7 @@ event dns_mapping_valid%(dm: dns_mapping%);
 event dns_mapping_unverified%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup succeeded but an earlier attempt
-## did not. Bro keeps an internal DNS cache for host names and IP
+## did not. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a subsequent
 ## lookup produces an answer for a query that was marked as failed in the cache.
 ##
@@ -830,7 +830,7 @@ event dns_mapping_unverified%(dm: dns_mapping%);
 event dns_mapping_new_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup returned zero answers even though it
-## had succeeded in the past. Bro keeps an internal DNS cache for host names
+## had succeeded in the past. Zeek keeps an internal DNS cache for host names
 ## and IP addresses it has already resolved. This event is generated when
 ## on a subsequent lookup we receive an answer that is empty even
 ## though we have already stored a result in the cache.
@@ -842,7 +842,7 @@ event dns_mapping_new_name%(dm: dns_mapping%);
 event dns_mapping_lost_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup produced a different result than in
-## the past.  Bro keeps an internal DNS cache for host names and IP addresses
+## the past.  Zeek keeps an internal DNS cache for host names and IP addresses
 ## it has already resolved. This event is generated when a subsequent lookup
 ## returns a different answer than we have stored in the cache.
 ##
@@ -858,7 +858,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
 ##    dns_mapping_valid
 event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
 
-## A meta event generated for events that Bro raises. This will report all
+## A meta event generated for events that Zeek raises. This will report all
 ## events for which at least one handler is defined.
 ##
 ## Note that handling this meta event is expensive and should be limited to
diff --git a/src/probabilistic/bloom-filter.bif b/src/probabilistic/bloom-filter.bif
index 284aebc745..166af6d937 100644
--- a/src/probabilistic/bloom-filter.bif
+++ b/src/probabilistic/bloom-filter.bif
@@ -23,7 +23,7 @@ module GLOBAL;
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -60,7 +60,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -104,7 +104,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -206,7 +206,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any
 
 ## Merges two Bloom filters.
 ##
-## .. note:: Currently Bloom filters created by different Bro instances cannot
+## .. note:: Currently Bloom filters created by different Zeek instances cannot
 ##    be merged. In the future, this will be supported as long as both filters
 ##    are created with the same name.
 ##
diff --git a/src/stats.bif b/src/stats.bif
index d31f66de4e..76bc88083e 100644
--- a/src/stats.bif
+++ b/src/stats.bif
@@ -20,7 +20,7 @@ RecordType* ReporterStats;
 %%}
 
 ## Returns packet capture statistics. Statistics include the number of
-## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
+## packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
 ## link (not always available).
 ##
 ## Returns: A record of packet statistics.
@@ -70,7 +70,7 @@ function get_net_stats%(%): NetStats
 	return r;
 	%}
 
-## Returns Bro traffic statistics.
+## Returns Zeek traffic statistics.
 ##
 ## Returns: A record with connection and packet statistics.
 ##
@@ -121,7 +121,7 @@ function get_conn_stats%(%): ConnStats
 	return r;
 	%}
 
-## Returns Bro process statistics.
+## Returns Zeek process statistics.
 ##
 ## Returns: A record with process statistics.
 ##
diff --git a/src/strings.bif b/src/strings.bif
index 110dbaea9e..6c74db77e9 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -160,7 +160,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
 ## arg_s: The string to edit.
 ##
 ## arg_edit_char: A string of exactly one character that represents the
-##                "backspace character". If it is longer than one character Bro
+##                "backspace character". If it is longer than one character Zeek
 ##                generates a run-time error and uses the first character in
 ##                the string.
 ##
diff --git a/src/types.bif b/src/types.bif
index 79f5780f52..98d1df0c52 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -1,4 +1,4 @@
-##! Declaration of various types that the Bro core uses internally.
+##! Declaration of various types that the Zeek core uses internally.
 
 enum rpc_status %{
 	RPC_SUCCESS,
diff --git a/src/zeekygen/zeekygen.bif b/src/zeekygen/zeekygen.bif
index a039c83c13..d97cd782bd 100644
--- a/src/zeekygen/zeekygen.bif
+++ b/src/zeekygen/zeekygen.bif
@@ -31,7 +31,7 @@ function get_identifier_comments%(name: string%): string
 	%}
 
 ## Retrieve the Zeekygen-style summary comments (``##!``) associated with
-## a Bro script.
+## a Zeek script.
 ##
 ## name: the name of a Zeek script.  It must be a relative path to where
 ##       it is located within a particular component of ZEEKPATH and use
@@ -50,7 +50,7 @@ function get_script_comments%(name: string%): string
 	return comments_to_val(d->GetComments());
 	%}
 
-## Retrieve the contents of a Bro script package's README file.
+## Retrieve the contents of a Zeek script package's README file.
 ##
 ## name: the name of a Zeek script package.  It must be a relative path
 ##       to where it is located within a particular component of ZEEKPATH.

From 2fa74e4bcb7c26f02af77d4238514e997dd48798 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 6 Jun 2019 19:48:55 -0700
Subject: [PATCH 34/91] Change default value of peer_description "zeek"

---
 CHANGES                                       |   4 +
 NEWS                                          |   6 +
 VERSION                                       |   2 +-
 doc                                           |   2 +-
 scripts/base/init-bare.zeek                   |   2 +-
 .../bifs.decode_base64_conn/weird.log         |  10 +-
 testing/btest/Baseline/core.checksums/bad.out |  66 +-
 .../btest/Baseline/core.checksums/good.out    |  42 +-
 .../core.disable-mobile-ipv6/weird.log        |   6 +-
 .../Baseline/core.ip-broken-header/weird.log  | 916 +++++++++---------
 .../Baseline/core.negative-time/weird.log     |   6 +-
 .../packet_filter.log                         |   6 +-
 .../Baseline/core.print-bpf-filters/conn.log  |   4 +-
 .../Baseline/core.print-bpf-filters/output    |  18 +-
 testing/btest/Baseline/core.truncation/output |  48 +-
 .../core.tunnels.ip-in-ip-version/output      |  12 +-
 .../weird.log                                 |   8 +-
 testing/btest/Baseline/plugins.hooks/output   |  14 +-
 testing/btest/Baseline/plugins.writer/output  |   2 +-
 .../output                                    |  14 +-
 .../zeekproc.intel.log                        |   6 +-
 .../zeekproc.intel.log                        |   8 +-
 .../output                                    |  16 +-
 .../output                                    |  22 +-
 .../conn.log                                  |  72 +-
 .../conn.log                                  |  72 +-
 .../weird.log                                 |   6 +-
 .../weird.log                                 |   6 +-
 .../weird.log                                 |  58 +-
 .../weird.log                                 |   6 +-
 .../weird.log                                 |   8 +-
 .../weird.log                                 |  10 +-
 .../weird.log                                 |   6 +-
 .../zeekproc.intel.log                        |   6 +-
 .../intel-all.log                             |  22 +-
 .../intel.log                                 |   6 +-
 .../intel.log                                 |  18 +-
 .../intel.log                                 |  44 +-
 testing/external/commit-hash.zeek-testing     |   2 +-
 .../external/commit-hash.zeek-testing-private |   2 +-
 40 files changed, 797 insertions(+), 787 deletions(-)

diff --git a/CHANGES b/CHANGES
index c2f21a3188..f1aa663a98 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-388 | 2019-06-06 19:48:55 -0700
+
+  * Change default value of peer_description "zeek" (Jon Siwek, Corelight)
+
 2.6-387 | 2019-06-06 18:51:09 -0700
 
   * Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
diff --git a/NEWS b/NEWS
index b5d5b23af6..b2614e9dfd 100644
--- a/NEWS
+++ b/NEWS
@@ -244,6 +244,12 @@ Changed Functionality
 
       @load policy/files/unified2
 
+- The default value of ``peer_description`` has changed from "bro"
+  to "zeek".  This won't effect most users, except for the fact that
+  this value may appear in several log files, so any external plugins
+  that have written unit tests that compare baselines of such log
+  files may need to be updated.
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index 4192289b6a..5317046328 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-387
+2.6-388
diff --git a/doc b/doc
index 46801e2b55..7b81005333 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 46801e2b553ae71623710fbc0b67fe76552d4597
+Subproject commit 7b81005333a5416e1da6a4c83df678e75dccd6be
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index b949c952b9..b0a4e195f4 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4759,7 +4759,7 @@ const packet_filter_default = F &redef;
 const sig_max_group_size = 50 &redef;
 
 ## Description transmitted to remote communication peers for identification.
-const peer_description = "bro" &redef;
+const peer_description = "zeek" &redef;
 
 ## The number of IO chunks allowed to be buffered between the child
 ## and parent process of remote communication before Zeek starts dropping
diff --git a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
index 2479b39969..cdee200f0b 100644
--- a/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
+++ b/testing/btest/Baseline/bifs.decode_base64_conn/weird.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-36
+#open	2019-06-07-01-59-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
-#close	2016-07-13-16-12-36
+1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
+1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
+1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
+#close	2019-06-07-01-59-08
diff --git a/testing/btest/Baseline/core.checksums/bad.out b/testing/btest/Baseline/core.checksums/bad.out
index 44ef942ae3..dfa186c419 100644
--- a/testing/btest/Baseline/core.checksums/bad.out
+++ b/testing/btest/Baseline/core.checksums/bad.out
@@ -3,101 +3,101 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-42
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	bro
-#close	2016-07-13-16-12-42
+1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	zeek
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-42
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	bro
-#close	2016-07-13-16-12-42
+1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	zeek
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-43
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	bro
-#close	2016-07-13-16-12-43
+1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	zeek
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-43
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	bro
-#close	2016-07-13-16-12-43
+1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	zeek
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-44
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	bro
-#close	2016-07-13-16-12-44
+1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
+1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	zeek
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-44
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	bro
-#close	2016-07-13-16-12-44
+1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
+1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	zeek
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-45
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	bro
-#close	2016-07-13-16-12-45
+1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
+1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	zeek
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-45
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	bro
-#close	2016-07-13-16-12-45
+1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	zeek
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	bro
-#close	2016-07-13-16-12-46
+1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	zeek
+#close	2019-06-07-02-20-07
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2016-07-13-16-12-47
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
+#close	2019-06-07-02-20-07
diff --git a/testing/btest/Baseline/core.checksums/good.out b/testing/btest/Baseline/core.checksums/good.out
index 5c99e9390a..50619c654f 100644
--- a/testing/btest/Baseline/core.checksums/good.out
+++ b/testing/btest/Baseline/core.checksums/good.out
@@ -3,68 +3,68 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2016-07-13-16-12-47
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
+#close	2019-06-07-02-20-07
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-49
+#open	2019-06-07-02-20-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-49
+1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-08
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-49
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-49
+1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-50
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-50
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-50
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2016-07-13-16-12-50
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
+#close	2019-06-07-02-20-09
diff --git a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log
index ee45663170..ab6fb323d2 100644
--- a/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log
+++ b/testing/btest/Baseline/core.disable-mobile-ipv6/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2012-04-05-21-56-51
+#open	2019-06-07-01-59-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1333663011.602839	-	-	-	-	-	unknown_protocol	-	F	bro
-#close	2012-04-05-21-56-51
+1333663011.602839	-	-	-	-	-	unknown_protocol	-	F	zeek
+#close	2019-06-07-01-59-20
diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log
index a416f90e66..8aca8dc371 100644
--- a/testing/btest/Baseline/core.ip-broken-header/weird.log
+++ b/testing/btest/Baseline/core.ip-broken-header/weird.log
@@ -3,463 +3,463 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-20-30
+#open	2019-06-07-01-59-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	bro
-1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	bro
-1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	bro
-1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	bro
-1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	bro
-1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	bro
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	bro
-1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-#close	2017-10-19-17-20-30
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	zeek
+1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	zeek
+1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	zeek
+1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	zeek
+1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	zeek
+1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+#close	2019-06-07-01-59-22
diff --git a/testing/btest/Baseline/core.negative-time/weird.log b/testing/btest/Baseline/core.negative-time/weird.log
index 6c88ea26ef..ccc9a520af 100644
--- a/testing/btest/Baseline/core.negative-time/weird.log
+++ b/testing/btest/Baseline/core.negative-time/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-05-23-20-20-21
+#open	2019-06-07-01-59-25
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	bro
-#close	2016-05-23-20-20-21
+1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	zeek
+#close	2019-06-07-01-59-25
diff --git a/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log b/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
index 3c442060c0..04e2ae193e 100644
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-56
+#open	2019-06-07-01-59-28
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426376.541368	bro	port 50000	T	T
-#close	2016-07-13-16-12-56
+1559872768.563861	zeek	port 50000	T	T
+#close	2019-06-07-01-59-28
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index f14621c261..7f4eaf9740 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2019-03-12-03-25-14
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
-#close	2019-03-12-03-25-14
+#close	2019-06-07-02-20-04
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output b/testing/btest/Baseline/core.print-bpf-filters/output
index d8067da821..84caba4d8c 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output
+++ b/testing/btest/Baseline/core.print-bpf-filters/output
@@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-12
+#open	2019-06-07-02-20-03
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361112.763592	bro	ip or not ip	T	T
-#close	2019-03-12-03-25-12
+1559874003.309984	zeek	ip or not ip	T	T
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-13
+#open	2019-06-07-02-20-03
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361113.442916	bro	port 42	T	T
-#close	2019-03-12-03-25-13
+1559874003.872388	zeek	port 42	T	T
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-14
+#open	2019-06-07-02-20-04
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361114.111534	bro	(vlan) and (ip or not ip)	T	T
-#close	2019-03-12-03-25-14
+1559874004.312190	zeek	(vlan) and (ip or not ip)	T	T
+#close	2019-06-07-02-20-04
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index 85acc259ff..8ef1ff8e9d 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -3,78 +3,78 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-27
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334160095.895421	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2017-10-19-17-18-28
+1334160095.895421	-	-	-	-	-	truncated_IP	-	F	zeek
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-29
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334156241.519125	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2017-10-19-17-18-30
+1334156241.519125	-	-	-	-	-	truncated_IP	-	F	zeek
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-32
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334094648.590126	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2017-10-19-17-18-32
+1334094648.590126	-	-	-	-	-	truncated_IP	-	F	zeek
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-36
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	bro
-#close	2017-10-19-17-18-36
+1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	zeek
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-37
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-0.000000	-	-	-	-	-	truncated_link_header	-	F	bro
-#close	2017-10-19-17-18-38
+0.000000	-	-	-	-	-	truncated_link_header	-	F	zeek
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-39
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	bro
-#close	2017-10-19-17-18-40
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	zeek
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-41
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	bro
-#close	2017-10-19-17-18-42
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	zeek
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-43
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	bro
-#close	2017-10-19-17-18-44
+1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	zeek
+#close	2019-06-07-02-20-07
diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
index 728d8e4793..bf3356a6df 100644
--- a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
@@ -3,18 +3,18 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-26-34
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	bro
-#close	2017-10-19-17-26-35
+1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	zeek
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-26-36
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
-#close	2017-10-19-17-26-37
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
+#close	2019-06-07-02-20-03
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
index 5ff4c65292..8c80b270b3 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-13-14
+#open	2019-06-07-01-59-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	bro
-1340127577.346849	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	bro
-#close	2016-07-13-16-13-14
+1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	zeek
+1340127577.346849	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	zeek
+#close	2019-06-07-01-59-35
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index cc8431a129..27949c8795 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -273,7 +273,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -450,7 +450,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -1159,7 +1159,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1336,7 +1336,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -2044,7 +2044,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2221,7 +2221,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2651,7 +2651,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1559762527.125384, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index 729887b44d..cafb0429af 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0.0)
 [http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|-|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
-[packet_filter] 1552509148.042714|bro|ip or not ip|T|T
+[packet_filter] 1559874008.158433|zeek|ip or not ip|T|T
 [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
index 78422499cf..a4878b7cc4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
@@ -3,15 +3,15 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2018-04-27-23-53-04
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1524873184.861542	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1524873187.913197	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1524873190.976201	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1524873194.052686	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1524873197.128942	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-#close	2018-04-27-23-53-20
+1559874005.130930	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+1559874008.152069	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+1559874011.172813	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1,source2	-	-	-
+1559874014.190374	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1,source2	-	-	-
+1559874017.207215	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1,source2	-	-	-
+#close	2019-06-07-02-20-20
 -- Run 1 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/zeekproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/zeekproc.intel.log
index dfe45974c1..ba8d9f449e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/zeekproc.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.filter-item/zeekproc.intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2019-03-24-20-29-18
+#open	2019-06-07-02-27-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1553459358.205227	-	-	-	-	-	1.2.3.42	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2019-03-24-20-29-18
+1559874471.197669	-	-	-	-	-	1.2.3.42	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+#close	2019-06-07-02-27-51
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/zeekproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/zeekproc.intel.log
index 7c29bb659e..50c041efda 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/zeekproc.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/zeekproc.intel.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-12-26
+#open	2019-06-07-02-27-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017946.413077	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	bro	Intel::EMAIL	source1	-	-	-
-1466017946.413077	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2016-06-15-19-12-26
+1559874471.206651	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	zeek	Intel::EMAIL	source1	-	-	-
+1559874471.206651	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+#close	2019-06-07-02-27-51
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.match-subnet/output b/testing/btest/Baseline/scripts.base.frameworks.intel.match-subnet/output
index d8c2755fe4..c36418c477 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.match-subnet/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.match-subnet/output
@@ -3,21 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-13-14
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1470402794.307931	-	-	-	-	-	192.168.1.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1470402794.307931	-	-	-	-	-	192.168.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::SUBNET	source1	-	-	-
-1470402794.307931	-	-	-	-	-	192.168.142.1	Intel::ADDR	SOMEWHERE	bro	Intel::SUBNET,Intel::ADDR	source1	-	-	-
-#close	2016-08-05-13-13-14
+1559874004.952411	-	-	-	-	-	192.168.1.1	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+1559874004.952411	-	-	-	-	-	192.168.2.1	Intel::ADDR	SOMEWHERE	zeek	Intel::SUBNET	source1	-	-	-
+1559874004.952411	-	-	-	-	-	192.168.142.1	Intel::ADDR	SOMEWHERE	zeek	Intel::SUBNET,Intel::ADDR	source1	-	-	-
+#close	2019-06-07-02-20-05
 
-Seen: [indicator=192.168.1.1, indicator_type=Intel::ADDR, host=192.168.1.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Seen: [indicator=192.168.1.1, indicator_type=Intel::ADDR, host=192.168.1.1, where=SOMEWHERE, node=zeek, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
 Item: [indicator=192.168.1.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/1]]
 
-Seen: [indicator=192.168.2.1, indicator_type=Intel::ADDR, host=192.168.2.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Seen: [indicator=192.168.2.1, indicator_type=Intel::ADDR, host=192.168.2.1, where=SOMEWHERE, node=zeek, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
 Item: [indicator=192.168.2.0/24, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork is just plain baaad, url=http://some-data-distributor.com/2]]
 
-Seen: [indicator=192.168.142.1, indicator_type=Intel::ADDR, host=192.168.142.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
+Seen: [indicator=192.168.142.1, indicator_type=Intel::ADDR, host=192.168.142.1, where=SOMEWHERE, node=zeek, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
 Item: [indicator=192.168.142.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/3]]
 Item: [indicator=192.168.128.0/18, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork might be baaad, url=http://some-data-distributor.com/5]]
 Item: [indicator=192.168.142.0/26, indicator_type=Intel::SUBNET, meta=[source=source1, desc=this subnetwork is inside, url=http://some-data-distributor.com/4]]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
index ce4bc37b4a..1e065f2673 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2019-06-05-19-44-26
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1559763866.049905	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1559763867.212778	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1559763867.212778	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-1559763868.245883	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1559763868.245883	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-#close	2019-06-05-19-44-28
+1559874004.005095	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+1559874005.130958	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1,source2	-	-	-
+1559874005.130958	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source2	-	-	-
+1559874006.142023	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1,source2	-	-	-
+1559874006.142023	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source2	-	-	-
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2019-06-05-19-44-28
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	string	string	string	double	double
-1559763868.245883	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
-1559763868.245883	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
-#close	2019-06-05-19-44-28
+1559874006.142023	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
+1559874006.142023	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	-	-	-	-	-
+#close	2019-06-07-02-20-06
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
index 867ba696d8..63c348ce42 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-08-10-20-27-56
+#open	2019-06-07-02-20-04
 #fields	_write_ts	_system_name	_undefined_string	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	bro	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
-1300475173.475401	bro	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
-1300475173.475401	bro	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
-1300475173.475401	bro	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
-1300475173.475401	bro	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
-1300475173.475401	bro	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
-1300475173.475401	bro	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
-1300475173.475401	bro	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
-1300475173.475401	bro	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
-1300475173.475401	bro	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	bro	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
-1300475173.475401	bro	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
-1300475173.475401	bro	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	bro	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	bro	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	bro	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	bro	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
-1300475173.475401	bro	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	bro	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	bro	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	bro	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
-1300475173.475401	bro	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	bro	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
-1300475173.475401	bro	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
-1300475173.475401	bro	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	bro	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	bro	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
-#close	2016-08-10-20-27-56
+1300475173.475401	zeek	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	zeek	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	zeek	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	zeek	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	zeek	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	zeek	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	zeek	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	zeek	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	zeek	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	zeek	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	zeek	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	zeek	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	zeek	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	zeek	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	zeek	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	zeek	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	zeek	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	zeek	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	zeek	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	zeek	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	zeek	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	zeek	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	zeek	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	zeek	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+#close	2019-06-07-02-20-04
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
index 5d66623de7..6447a50a69 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-08-10-17-45-11
+#open	2019-06-07-02-20-03
 #fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	conn	bro	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
-1300475173.475401	conn	bro	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
-1300475173.475401	conn	bro	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
-1300475173.475401	conn	bro	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
-1300475173.475401	conn	bro	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
-1300475173.475401	conn	bro	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
-1300475173.475401	conn	bro	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
-1300475173.475401	conn	bro	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
-1300475173.475401	conn	bro	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
-1300475173.475401	conn	bro	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
-1300475173.475401	conn	bro	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	conn	bro	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
-1300475173.475401	conn	bro	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
-1300475173.475401	conn	bro	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	conn	bro	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
-1300475173.475401	conn	bro	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	conn	bro	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	conn	bro	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	conn	bro	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
-1300475173.475401	conn	bro	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
-1300475173.475401	conn	bro	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
-1300475173.475401	conn	bro	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	conn	bro	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
-1300475173.475401	conn	bro	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
-1300475173.475401	conn	bro	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
-1300475173.475401	conn	bro	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	conn	bro	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
-1300475173.475401	conn	bro	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
-1300475173.475401	conn	bro	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
-1300475173.475401	conn	bro	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
-1300475173.475401	conn	bro	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
-1300475173.475401	conn	bro	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	conn	bro	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
-1300475173.475401	conn	bro	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
-#close	2016-08-10-17-45-11
+1300475173.475401	conn	zeek	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	conn	zeek	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	conn	zeek	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	conn	zeek	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	conn	zeek	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	conn	zeek	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	conn	zeek	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	conn	zeek	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	conn	zeek	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	conn	zeek	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	conn	zeek	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	zeek	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	conn	zeek	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	conn	zeek	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	zeek	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	conn	zeek	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	zeek	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	zeek	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	zeek	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	conn	zeek	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	conn	zeek	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	zeek	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	zeek	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	conn	zeek	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	zeek	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	conn	zeek	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	zeek	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	zeek	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	conn	zeek	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	zeek	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	zeek	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	zeek	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	zeek	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	zeek	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+#close	2019-06-07-02-20-03
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
index 7cd09fb789..a08e7d9514 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2018-05-08-20-04-16
+#open	2019-06-07-02-00-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	bro
-#close	2018-05-08-20-04-17
+1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	zeek
+#close	2019-06-07-02-00-44
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
index 141247a989..8245e19c81 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-16-20
+#open	2019-06-07-02-00-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1452204358.172926	CHhAvVGS1DHFjwGM9	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	bro
-#close	2016-07-13-16-16-20
+1452204358.172926	CHhAvVGS1DHFjwGM9	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	zeek
+#close	2019-06-07-02-00-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
index 5ff7cb6ab7..fe218669ca 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log
@@ -3,34 +3,34 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-16-23
+#open	2019-06-07-02-00-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1354328874.237327	ClEkJM2Vm5giqnMf4h	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	bro
-1354328874.278822	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328874.321792	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328882.908690	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328882.949510	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328887.094494	C0LAHyvtKSQHyJxIl	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.141058	CFLRIC3zaTU1loLGxh	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.183942	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
-1354328891.226199	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.267625	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
-1354328891.309065	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
-1354328895.355012	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
-1354328895.396634	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328895.438812	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328895.480865	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
-1354328903.614145	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328903.656369	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328911.832856	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328911.876341	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328920.052085	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328920.094072	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.266693	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.308714	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.476011	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328924.518204	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328932.734579	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328932.776609	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
-#close	2016-07-13-16-16-23
+1354328874.237327	ClEkJM2Vm5giqnMf4h	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	zeek
+1354328874.278822	C4J4Th3PJpwUYZZ6gc	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328874.321792	CtPZjS20MLrsMUOJi2	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328882.908690	C37jN32gN3y3AZzyf6	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328882.949510	C3eiCBGOLw3VtHfOj	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328887.094494	C0LAHyvtKSQHyJxIl	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328891.141058	CFLRIC3zaTU1loLGxh	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328891.183942	C9rXSW3KSpTYvPrlI1	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek
+1354328891.226199	Ck51lg1bScffFj34Ri	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328891.267625	C9mvWx3ezztgzcexV7	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	zeek
+1354328891.309065	CNnMIj2QSd84NKf7U3	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
+1354328895.355012	C7fIlMZDuRiqjpYbb	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
+1354328895.396634	CykQaM33ztNt0csB9a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328895.438812	CtxTCR2Yer0FR1tIBg	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328895.480865	CpmdRlaUoJLN3uIRa	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	zeek
+1354328903.614145	CLNN1k2QMum1aexUK7	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328903.656369	CBA8792iHmnhPLksKa	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328911.832856	Cipfzj1BEnhejw8cGf	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328911.876341	CV5WJ42jPYbNW9JNWf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328920.052085	CzrZOtXqhwwndQva3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328920.094072	CaGCc13FffXe6RkQl9	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328924.266693	CzmEfj4RValNyLfT58	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328924.308714	CCk2V03QgWwIurU3f	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328924.476011	CKJVAj1rNx0nolFFc4	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328924.518204	CD7vfu1qu4YJKe1nGi	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328932.734579	CRJ9x54IaE7bkVEpad	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+1354328932.776609	CAvUKGaEgLlR4i6t2	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	zeek
+#close	2019-06-07-02-00-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
index f24e35c0d4..0e7d7f91f7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.no-uri/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-16-26
+#open	2019-06-07-02-00-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1362692526.939527	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	missing_HTTP_uri	-	F	bro
-#close	2016-07-13-16-16-26
+1362692526.939527	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	missing_HTTP_uri	-	F	zeek
+#close	2019-06-07-02-00-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
index df24831d15..8dd763e62c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-07-28-05-03-01
+#open	2019-06-07-02-00-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	bro
-1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	bro
-#close	2017-07-28-05-03-01
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	zeek
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	zeek
+#close	2019-06-07-02-00-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
index b88f8724c5..67b7d6616e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-11-03-19-17-18
+#open	2019-06-07-02-00-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	bro
-1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	bro
-1509735981.241042	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	bro
-#close	2017-11-03-19-17-18
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	zeek
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	zeek
+1509735981.241042	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	zeek
+#close	2019-06-07-02-00-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
index 908df6470e..959dd8febd 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2018-09-13-00-31-10
+#open	2019-06-07-02-00-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1536797872.428637	ClEkJM2Vm5giqnMf4h	127.0.0.1	65389	127.0.0.1	6666	irc_invalid_names_line	-	F	bro
-#close	2018-09-13-00-31-10
+1536797872.428637	ClEkJM2Vm5giqnMf4h	127.0.0.1	65389	127.0.0.1	6666	irc_invalid_names_line	-	F	zeek
+#close	2019-06-07-02-00-46
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/zeekproc.intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/zeekproc.intel.log
index d43abf187b..22c67e953a 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/zeekproc.intel.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.removal/zeekproc.intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2019-03-24-21-15-06
+#open	2019-06-07-02-29-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1553462106.131323	-	-	-	-	-	10.0.0.2	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2019-03-24-21-15-06
+1559874575.982006	-	-	-	-	-	10.0.0.2	Intel::ADDR	SOMEWHERE	zeek	Intel::ADDR	source1	-	-	-
+#close	2019-06-07-02-29-36
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 25c032e488..1d2a6e7036 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2017-05-02-20-45-26
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/x-x509-user-cert	23.92.19.75:443/tcp
-#close	2017-05-02-20-45-26
+1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	zeek	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/x-x509-user-cert	23.92.19.75:443/tcp
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2017-05-02-20-45-27
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/x-x509-user-cert	194.127.84.106:443/tcp
-1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
-1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/x-x509-user-cert	194.127.84.106:443/tcp
-1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
-1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/x-x509-user-cert	194.127.84.106:443/tcp
-1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
-#close	2017-05-02-20-45-27
+1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	zeek	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/x-x509-user-cert	194.127.84.106:443/tcp
+1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	zeek	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
+1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	zeek	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/x-x509-user-cert	194.127.84.106:443/tcp
+1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	zeek	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
+1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	zeek	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/x-x509-user-cert	194.127.84.106:443/tcp
+1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	zeek	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
+#close	2019-06-07-02-20-06
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log
index fd1dd4749b..e027324ac4 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smb/intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2019-03-25-23-33-09
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1549644186.691869	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	bro	Intel::FILE_NAME	source1	FG403EpKSkh5CwCre	-	pythonfile
-#close	2019-03-25-23-33-09
+1549644186.691869	CHhAvVGS1DHFjwGM9	169.254.128.18	49155	169.254.128.15	445	pythonfile	Intel::FILE_NAME	SMB::IN_FILE_NAME	zeek	Intel::FILE_NAME	source1	FG403EpKSkh5CwCre	-	pythonfile
+#close	2019-06-07-02-20-06
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log
index c14b4b10c1..e7c84632c1 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log
@@ -3,14 +3,14 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-00
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_RCPT_TO	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashoefer@cern.ch	Intel::EMAIL	SMTP::IN_FROM	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashoefer@gmail.com	Intel::EMAIL	SMTP::IN_TO	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_TO	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	addr-spec@example.com	Intel::EMAIL	SMTP::IN_TO	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	name-addr@example.com	Intel::EMAIL	SMTP::IN_TO	bro	Intel::EMAIL	source1	-	-	-
-1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	angle-addr@example.com	Intel::EMAIL	SMTP::IN_TO	bro	Intel::EMAIL	source1	-	-	-
-#close	2016-08-05-13-22-00
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_RCPT_TO	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashoefer@cern.ch	Intel::EMAIL	SMTP::IN_FROM	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashoefer@gmail.com	Intel::EMAIL	SMTP::IN_TO	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_TO	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	addr-spec@example.com	Intel::EMAIL	SMTP::IN_TO	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	name-addr@example.com	Intel::EMAIL	SMTP::IN_TO	zeek	Intel::EMAIL	source1	-	-	-
+1449610263.071201	CHhAvVGS1DHFjwGM9	188.184.129.157	35119	188.184.36.24	25	angle-addr@example.com	Intel::EMAIL	SMTP::IN_TO	zeek	Intel::EMAIL	source1	-	-	-
+#close	2019-06-07-02-20-06
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.whitelisting/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.whitelisting/intel.log
index 66ba6af8db..c64f05a339 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.whitelisting/intel.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.whitelisting/intel.log
@@ -3,27 +3,27 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-24-29
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.916018	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.916183	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.918358	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.952296	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.952307	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.954820	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.975934	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.976436	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475168.979264	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475169.014593	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475169.014619	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-1300475169.014927	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	bro	Intel::DOMAIN	source1	-	-	-
-#close	2016-08-05-13-24-29
+1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	upload.wikimedia.org	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.916018	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.916183	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.918358	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.952296	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.952307	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.954820	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.975934	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.976436	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475168.979264	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475169.014593	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475169.014619	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+1300475169.014927	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	upload.wikimedia.org	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	source1	-	-	-
+#close	2019-06-07-02-20-06
diff --git a/testing/external/commit-hash.zeek-testing b/testing/external/commit-hash.zeek-testing
index 4279dc7bd5..6d84f725d4 100644
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@@ -1 +1 @@
-2f798d6464833260e9ff587f5a0343c2ae294ec8
+8a3fec970bbf27fc50426af236f152853475dad6
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 12e5318ea2..a44f404bf4 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-c02c38339a8f770159a039829b5960997db323f6
+6ec1ec0848f99cf9979085905a72a6def2ae4b0d

From c6378c56e2982740a78cf635ffe56c578a8c452b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 6 Jun 2019 20:02:19 -0700
Subject: [PATCH 35/91] Update plugin unit tests to use --zeek-dist

---
 CHANGES                                            | 4 ++++
 VERSION                                            | 2 +-
 aux/zeek-aux                                       | 2 +-
 testing/btest/plugins/bifs-and-scripts-install.sh  | 2 +-
 testing/btest/plugins/bifs-and-scripts.sh          | 2 +-
 testing/btest/plugins/file.zeek                    | 2 +-
 testing/btest/plugins/hooks.zeek                   | 2 +-
 testing/btest/plugins/init-plugin.zeek             | 2 +-
 testing/btest/plugins/logging-hooks.zeek           | 2 +-
 testing/btest/plugins/pktdumper.zeek               | 2 +-
 testing/btest/plugins/pktsrc.zeek                  | 2 +-
 testing/btest/plugins/plugin-nopatchversion.zeek   | 2 +-
 testing/btest/plugins/plugin-withpatchversion.zeek | 2 +-
 testing/btest/plugins/protocol.zeek                | 2 +-
 testing/btest/plugins/reader.zeek                  | 2 +-
 testing/btest/plugins/reporter-hook.zeek           | 2 +-
 testing/btest/plugins/writer.zeek                  | 2 +-
 17 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/CHANGES b/CHANGES
index f1aa663a98..b06fc5b98d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-389 | 2019-06-06 20:02:19 -0700
+
+  * Update plugin unit tests to use --zeek-dist (Jon Siwek, Corelight)
+
 2.6-388 | 2019-06-06 19:48:55 -0700
 
   * Change default value of peer_description "zeek" (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 5317046328..e9a7ecf6e3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-388
+2.6-389
diff --git a/aux/zeek-aux b/aux/zeek-aux
index e5b766fa0c..bac443d6ce 160000
--- a/aux/zeek-aux
+++ b/aux/zeek-aux
@@ -1 +1 @@
-Subproject commit e5b766fa0cc4e07a8a8275cab271170558f6bd2b
+Subproject commit bac443d6cebca567d3d0da52a25ff4e0bcdd1edd
diff --git a/testing/btest/plugins/bifs-and-scripts-install.sh b/testing/btest/plugins/bifs-and-scripts-install.sh
index a11650678e..0fbad20b36 100644
--- a/testing/btest/plugins/bifs-and-scripts-install.sh
+++ b/testing/btest/plugins/bifs-and-scripts-install.sh
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: ./configure --bro-dist=${DIST} --install-root=`pwd`/test-install
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} --install-root=`pwd`/test-install
 # @TEST-EXEC: make
 # @TEST-EXEC: make install
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd`/test-install zeek -NN Demo::Foo >>output
diff --git a/testing/btest/plugins/bifs-and-scripts.sh b/testing/btest/plugins/bifs-and-scripts.sh
index d6c2704125..fadab44978 100644
--- a/testing/btest/plugins/bifs-and-scripts.sh
+++ b/testing/btest/plugins/bifs-and-scripts.sh
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 
 # @TEST-EXEC: echo === >>output
diff --git a/testing/btest/plugins/file.zeek b/testing/btest/plugins/file.zeek
index f83365533a..5a59af6ad7 100644
--- a/testing/btest/plugins/file.zeek
+++ b/testing/btest/plugins/file.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/file-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/ftp/retr.trace %INPUT >>output
diff --git a/testing/btest/plugins/hooks.zeek b/testing/btest/plugins/hooks.zeek
index ad61c6859f..79f750bac5 100644
--- a/testing/btest/plugins/hooks.zeek
+++ b/testing/btest/plugins/hooks.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
 # @TEST-EXEC: btest-diff output
 
diff --git a/testing/btest/plugins/init-plugin.zeek b/testing/btest/plugins/init-plugin.zeek
index 1895117c4c..afd167f449 100644
--- a/testing/btest/plugins/init-plugin.zeek
+++ b/testing/btest/plugins/init-plugin.zeek
@@ -1,5 +1,5 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/port4242.trace >>output
diff --git a/testing/btest/plugins/logging-hooks.zeek b/testing/btest/plugins/logging-hooks.zeek
index 576a9f0289..b11e3a89f3 100644
--- a/testing/btest/plugins/logging-hooks.zeek
+++ b/testing/btest/plugins/logging-hooks.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Log Hooks
 # @TEST-EXEC: cp -r %DIR/logging-hooks-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Log::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff ssh.log
diff --git a/testing/btest/plugins/pktdumper.zeek b/testing/btest/plugins/pktdumper.zeek
index 191105dd5a..ff78dad502 100644
--- a/testing/btest/plugins/pktdumper.zeek
+++ b/testing/btest/plugins/pktdumper.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/pktdumper-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo  >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/port4242.trace -w foo::XXX %INPUT FilteredTraceDetection::enable=F >>output
diff --git a/testing/btest/plugins/pktsrc.zeek b/testing/btest/plugins/pktsrc.zeek
index 4058a21440..59a2ea2148 100644
--- a/testing/btest/plugins/pktsrc.zeek
+++ b/testing/btest/plugins/pktsrc.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/pktsrc-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo  >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r foo::XXX %INPUT FilteredTraceDetection::enable=F >>output
diff --git a/testing/btest/plugins/plugin-nopatchversion.zeek b/testing/btest/plugins/plugin-nopatchversion.zeek
index 1fdadc6658..d5f5693bc7 100644
--- a/testing/btest/plugins/plugin-nopatchversion.zeek
+++ b/testing/btest/plugins/plugin-nopatchversion.zeek
@@ -1,5 +1,5 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Testing NoPatchVersion
 # @TEST-EXEC: cp -r %DIR/plugin-nopatchversion-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -N Testing::NoPatchVersion >> output
 # @TEST-EXEC: btest-diff output
diff --git a/testing/btest/plugins/plugin-withpatchversion.zeek b/testing/btest/plugins/plugin-withpatchversion.zeek
index 45e268d63b..cc484ce44d 100644
--- a/testing/btest/plugins/plugin-withpatchversion.zeek
+++ b/testing/btest/plugins/plugin-withpatchversion.zeek
@@ -1,5 +1,5 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Testing WithPatchVersion
 # @TEST-EXEC: cp -r %DIR/plugin-withpatchversion-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -N Testing::WithPatchVersion >> output
 # @TEST-EXEC: btest-diff output
diff --git a/testing/btest/plugins/protocol.zeek b/testing/btest/plugins/protocol.zeek
index 9ff886d4b3..295d8dbd2d 100644
--- a/testing/btest/plugins/protocol.zeek
+++ b/testing/btest/plugins/protocol.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/protocol-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/port4242.trace %INPUT >>output
diff --git a/testing/btest/plugins/reader.zeek b/testing/btest/plugins/reader.zeek
index c77289ca92..40cb97765d 100644
--- a/testing/btest/plugins/reader.zeek
+++ b/testing/btest/plugins/reader.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin  -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/reader-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` btest-bg-run zeek zeek %INPUT
diff --git a/testing/btest/plugins/reporter-hook.zeek b/testing/btest/plugins/reporter-hook.zeek
index c86b4a264d..01229b3d49 100644
--- a/testing/btest/plugins/reporter-hook.zeek
+++ b/testing/btest/plugins/reporter-hook.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Reporter Hook
 # @TEST-EXEC: cp -r %DIR/reporter-hook-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Reporter::Hook" ZEEK_PLUGIN_PATH=`pwd` zeek -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
diff --git a/testing/btest/plugins/writer.zeek b/testing/btest/plugins/writer.zeek
index a04fb2bc19..21426dfdae 100644
--- a/testing/btest/plugins/writer.zeek
+++ b/testing/btest/plugins/writer.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/zeek-aux/plugin-support/init-plugin -u . Demo Foo
 # @TEST-EXEC: cp -r %DIR/writer-plugin/* .
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: ZEEK_PLUGIN_PATH=`pwd` zeek -r $TRACES/socks.trace Log::default_writer=Log::WRITER_FOO %INPUT | sort >>output

From 8d96dea23f16790e1f869c1d9ec387a327809b39 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 7 Jun 2019 16:48:19 +1000
Subject: [PATCH 36/91] Update SSL documentation.

---
 src/analyzer/protocol/ssl/events.bif          | 49 ++++++++++++++++++-
 .../protocol/ssl/tls-handshake-protocol.pac   |  4 +-
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 6792876a87..86bc89d64e 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -103,6 +103,7 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@@ -122,6 +123,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -143,6 +145,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -163,6 +166,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -171,7 +175,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_orig: True if event is raised for the originator side of the connection.
 ##
 ## curves: List of supported/chosen named groups.
 ##
@@ -182,9 +186,47 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
+## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
+##
+## The extension lists the identities the client is willing to negotiate with the server;
+## they can either be pre-shared or be based on previous handshakes.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for the originator side of the connection
+##
+## identities: A list of the identities the client is willing to negotiate with the server.
+##
+## binders: A series of HMAC values; for computation, see the TLS 1.3 RFC.
+##
+## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
 event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%);
+
+## Generated for the pre-shared key extension as it is sent in tht TLS 1.3 server hello.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for the originator side of the connection
+##
+## selected_identity: The identity the server chose as a 0-based index into the identities
+##                    the client sent.
+##
+## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
 event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%);
 
 ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
@@ -300,6 +342,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
 ##    ssl_extension_server_name ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -321,6 +364,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
 ## Generated for the signed_certificate_timestamp TLS extension as defined in
@@ -351,6 +395,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated for an TLS Supported Versions extension. This TLS extension
@@ -370,6 +415,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
 
 ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
@@ -387,6 +433,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 479275bbe3..3fcf1c595c 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -870,7 +870,9 @@ type ClientHelloKeyShare(rec: HandshakeRecord) = record {
 type KeyShare(rec: HandshakeRecord, ext: SSLExtension) = case rec.msg_type of {
 	CLIENT_HELLO -> client_hello_keyshare : ClientHelloKeyShare(rec);
 	SERVER_HELLO -> server_hello_keyshare : ServerHelloKeyShareChoice(rec, ext);
-	# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
+	# in old traces, theoretically hello retry requests might show up as a separate type here.
+	# If this happens, just ignore the extension - we do not have any example traffic for this.
+	# And it will not happen in anything speaking TLS 1.3, or not completely ancient drafts of it.
 	default -> other : bytestring &restofdata &transient;
 };
 

From 00f93411838fd08cbcbbbf2113ef858abdb9f72d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 5 Jun 2019 18:46:51 +0000
Subject: [PATCH 37/91] Couple of compile fixes.

This is branched from topic/johanna/remove-serializer.
---
 src/analyzer/protocol/krb/KRB.cc   | 2 ++
 src/probabilistic/CounterVector.cc | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 4ee663dcf1..e6bd42b961 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -1,5 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <unistd.h>
+
 #include "KRB.h"
 #include "types.bif.h"
 #include "events.bif.h"
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index 1a3c98c73f..e234d5c9d9 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -2,6 +2,7 @@
 
 #include "CounterVector.h"
 
+#include <cassert>
 #include <limits>
 #include "BitVector.h"
 

From c0c5dccd065f0568b7b9144f074c13d98045dfb1 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 7 Jun 2019 22:55:13 +0000
Subject: [PATCH 38/91] Add new test for when-statement watching global
 variables.

---
 aux/broker                                    |  2 +-
 aux/btest                                     |  2 +-
 aux/netcontrol-connectors                     |  2 +-
 aux/zeek-aux                                  |  2 +-
 aux/zeekctl                                   |  2 +-
 doc                                           |  2 +-
 .../Baseline/language.when-on-globals/out     |  4 ++
 testing/btest/language/when-on-globals.zeek   | 71 +++++++++++++++++++
 8 files changed, 81 insertions(+), 6 deletions(-)
 create mode 100644 testing/btest/Baseline/language.when-on-globals/out
 create mode 100644 testing/btest/language/when-on-globals.zeek

diff --git a/aux/broker b/aux/broker
index 0c7a8816fd..e142a362b4 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 0c7a8816fd385af4f633cb7239e3c63e6c88c27e
+Subproject commit e142a362b4c712699ac43494a245058948c085c8
diff --git a/aux/btest b/aux/btest
index 6ece47ba64..539c2d8253 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 6ece47ba6438e7a6db5c7b85a68b3c16f0911871
+Subproject commit 539c2d82534345c62ba9a20c2e98ea5cbdea9c7e
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index e93235aa6e..43da5d80fd 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit e93235aa6e45820af7e23e97627845a7b2b3d919
+Subproject commit 43da5d80fdf0923e790af3c21749f6e6241cda80
diff --git a/aux/zeek-aux b/aux/zeek-aux
index 3ecc7b8c34..bac443d6ce 160000
--- a/aux/zeek-aux
+++ b/aux/zeek-aux
@@ -1 +1 @@
-Subproject commit 3ecc7b8c348a7b768092dad75e6cb54c6357b9d7
+Subproject commit bac443d6cebca567d3d0da52a25ff4e0bcdd1edd
diff --git a/aux/zeekctl b/aux/zeekctl
index a955e66c8b..37275b29f5 160000
--- a/aux/zeekctl
+++ b/aux/zeekctl
@@ -1 +1 @@
-Subproject commit a955e66c8b07fd6715c7ed379d0759acc592bb78
+Subproject commit 37275b29f5fe5fa68808229907a6f7bebcddafdf
diff --git a/doc b/doc
index e5422eafff..f8869ea5f7 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit e5422eafff850708f4d4ff590e54299ddc97ca42
+Subproject commit f8869ea5f72cda06d5acf0fbeefd5af102f7d77e
diff --git a/testing/btest/Baseline/language.when-on-globals/out b/testing/btest/Baseline/language.when-on-globals/out
new file mode 100644
index 0000000000..44dae2c89e
--- /dev/null
+++ b/testing/btest/Baseline/language.when-on-globals/out
@@ -0,0 +1,4 @@
+"j" in x3[20]$x, expected timeout
+15 in x2, T
+x1 != 42, T
+x2[10], T
diff --git a/testing/btest/language/when-on-globals.zeek b/testing/btest/language/when-on-globals.zeek
new file mode 100644
index 0000000000..087a88b4db
--- /dev/null
+++ b/testing/btest/language/when-on-globals.zeek
@@ -0,0 +1,71 @@
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT | sort >out
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+type X: record {
+    s: string;
+    x: set[string] &optional;
+};
+
+global x1 = 42;
+global x2: table[count] of X;
+global x3: table[count] of X;
+
+event quit()
+{
+    terminate();
+}
+
+event zeek_init()
+	{
+	x2[10] = [$s="foo"];
+	x3[20] = [$s="bar", $x=set("i")];
+
+	when ( x1 != 42 )
+		{
+		print "x1 != 42", x1 != 42;
+		}
+	timeout 1sec
+		{
+		print "unexpected timeout (1)";
+		}
+
+	when ( 15 in x2 )
+		{
+		print "15 in x2", 10 in x2;
+		}
+	timeout 1sec
+		{
+		print "unexpected timeout (2)";
+		}
+
+	when ( x2[10]$s == "bar" )
+		{
+		print "x2[10]", x2[10]$s == "bar";
+		}
+	timeout 1sec
+		{
+		print "unexpected timeout (3)";
+		}
+
+	when ( "j" in x3[20]$x )
+		{
+		print "unexpected trigger";
+		}
+	timeout 1sec
+		{
+		print "\"j\" in x3[20]$x, expected timeout";
+		}
+
+	x1 = 100;
+	x2[15] = [$s="xyz"];
+	x2[10]$s = "bar";
+
+	# This will *NOT* trigger then when-condition because we're modifying
+	# an inner value that's not directly tracked.
+	add x3[20]$x["j"];
+
+	schedule 2secs { quit() };
+}
+

From 02214dafc40cf3cf7996e879b99ec6cde1f187f1 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 02:49:18 +0000
Subject: [PATCH 39/91] Redo NotfifierRegistry to no longer rely on
 StateAccess.

We simplify the API to a simple Modified() operation.
---
 src/StateAccess.cc | 109 +++++++++++++++++++++++----------------------
 src/StateAccess.h  |  37 ++++++++-------
 src/Trigger.h      |   4 +-
 3 files changed, 80 insertions(+), 70 deletions(-)

diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 997eb5a48d..cc867468c8 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -149,7 +149,7 @@ void StateAccess::Replay()
 
 	Val* v = target.id->ID_Val();
 	TypeTag t = v ? v->Type()->Tag() : TYPE_VOID;
-		
+
 	if ( opcode != OP_ASSIGN && ! v )
 		{
 		// FIXME: I think this warrants an internal error,
@@ -514,22 +514,17 @@ void StateAccess::Describe(ODesc* d) const
 
 void StateAccess::Log(StateAccess* access)
 	{
-	bool tracked = false;
-
 	if ( access->target_type == TYPE_ID )
 		{
 		if ( access->target.id->FindAttr(ATTR_TRACKED) )
-			tracked = true;
+			notifiers.Modified(access->target.id);
 		}
 	else
 		{
 		if ( access->target.val->GetProperties() & MutableVal::TRACKED )
-			tracked = true;
+			notifiers.Modified(access->target.val);
 		}
 
-	if ( tracked )
-		notifiers.AccessPerformed(*access);
-
 #ifdef DEBUG
 	ODesc desc;
 	access->Describe(&desc);
@@ -543,6 +538,15 @@ void StateAccess::Log(StateAccess* access)
 
 NotifierRegistry notifiers;
 
+NotifierRegistry::~NotifierRegistry()
+	{
+	for ( auto i : ids )
+		Unref(i.first);
+
+	for ( auto i : vals )
+		Unref(i.first);
+	}
+
 void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 	{
 	DBG_LOG(DBG_NOTIFIERS, "registering ID %s for notifier %s",
@@ -563,24 +567,20 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 
 	Unref(attr);
 
-	NotifierMap::iterator i = ids.find(id->Name());
-
-	if ( i != ids.end() )
-		i->second->insert(notifier);
-	else
-		{
-		NotifierSet* s = new NotifierSet;
-		s->insert(notifier);
-		ids.insert(NotifierMap::value_type(id->Name(), s));
-		}
-
+	ids.insert({id, notifier});
 	Ref(id);
 	}
 
 void NotifierRegistry::Register(Val* val, NotifierRegistry::Notifier* notifier)
 	{
-	if ( val->IsMutableVal() )
-		Register(val->AsMutableVal()->UniqueID(), notifier);
+	if ( ! val->IsMutableVal() )
+		return;
+
+	DBG_LOG(DBG_NOTIFIERS, "registering value %p for notifier %s",
+		val, notifier->Name());
+
+	vals.insert({val, notifier});
+	Ref(val);
 	}
 
 void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
@@ -588,52 +588,55 @@ void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
 	DBG_LOG(DBG_NOTIFIERS, "unregistering ID %s for notifier %s",
 		id->Name(), notifier->Name());
 
-	NotifierMap::iterator i = ids.find(id->Name());
-
-	if ( i == ids.end() )
-		return;
-
-	Attr* attr = id->Attrs()->FindAttr(ATTR_TRACKED);
-	id->Attrs()->RemoveAttr(ATTR_TRACKED);
-	Unref(attr);
-
-	NotifierSet* s = i->second;
-	s->erase(notifier);
-
-	if ( s->size() == 0 )
+	auto x = ids.equal_range(id);
+	for ( auto i = x.first; i != x.second; i++ )
 		{
-		delete s;
-		ids.erase(i);
+		if ( i->second == notifier )
+			{
+			ids.erase(i);
+			Unref(id);
+			break;
+			}
 		}
 
-	Unref(id);
+	if ( ids.find(id) == ids.end() )
+		// Last registered notifier for this ID
+		id->Attrs()->RemoveAttr(ATTR_TRACKED);
 	}
 
 void NotifierRegistry::Unregister(Val* val, NotifierRegistry::Notifier* notifier)
 	{
-	if ( val->IsMutableVal() )
-		Unregister(val->AsMutableVal()->UniqueID(), notifier);
+	DBG_LOG(DBG_NOTIFIERS, "unregistering Val %p for notifier %s",
+		val, notifier->Name());
+
+	auto x = vals.equal_range(val);
+	for ( auto i = x.first; i != x.second; i++ )
+		{
+		if ( i->second == notifier )
+			{
+			vals.erase(i);
+			Unref(val);
+			break;
+			}
+		}
 	}
 
-void NotifierRegistry::AccessPerformed(const StateAccess& sa)
+void NotifierRegistry::Modified(Val *val)
 	{
-	ID* id = sa.Target();
+	DBG_LOG(DBG_NOTIFIERS, "modification to tracked value %p", val);
 
-	NotifierMap::iterator i = ids.find(id->Name());
-
-	if ( i == ids.end() )
-		return;
+	auto x = vals.equal_range(val);
+	for ( auto i = x.first; i != x.second; i++ )
+		i->second->Modified(val);
+	}
 
+void NotifierRegistry::Modified(ID *id)
+	{
 	DBG_LOG(DBG_NOTIFIERS, "modification to tracked ID %s", id->Name());
 
-	NotifierSet* s = i->second;
-
-	if ( id->IsInternalGlobal() )
-		for ( NotifierSet::iterator j = s->begin(); j != s->end(); j++ )
-			(*j)->Access(id->ID_Val(), sa);
-	else
-		for ( NotifierSet::iterator j = s->begin(); j != s->end(); j++ )
-			(*j)->Access(id, sa);
+	auto x = ids.equal_range(id);
+	for ( auto i = x.first; i != x.second; i++ )
+		i->second->Modified(id);
 	}
 
 const char* NotifierRegistry::Notifier::Name() const
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 15e2ae4676..86f1dbe88c 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -4,7 +4,7 @@
 #define STATEACESSS_H
 
 #include <set>
-#include <map>
+#include <unordered_map>
 #include <string>
 
 class Val;
@@ -105,32 +105,39 @@ public:
 	public:
 		virtual ~Notifier()	{ }
 
-		// Called when a change is being performed. Note that when these
-		// methods are called, it is undefined whether the change has
-		// already been done or is just going to be performed soon.
-		virtual void Access(ID* id, const StateAccess& sa) = 0;
-		virtual void Access(Val* val, const StateAccess& sa) = 0;
+		// Called when a change is being performed. Note that when
+		// these methods are called, it is undefined whether the
+		// change has already been done or is just going to be
+		// performed soon.
+		virtual void Modified(ID* id) = 0;
+		virtual void Modified(Val* val) = 0;
 		virtual const char* Name() const;	// for debugging
 	};
 
 	NotifierRegistry()	{ }
-	~NotifierRegistry()	{ }
+	~NotifierRegistry();
 
-	// Inform the given notifier if ID/Val changes.
+	// Register a new notifier to be informed when ID/Val changes. Note
+	// that the registry will store a reference to the target, keeping
+	// the instance alive for as long as it's registered.
 	void Register(ID* id, Notifier* notifier);
 	void Register(Val* val, Notifier* notifier);
 
-	// Cancel notification for this ID/Val.
+	// Cancel a notifier's tracking for this ID/Val, also releasing the
+	// referencee being held.
 	void Unregister(ID* id, Notifier* notifier);
 	void Unregister(Val* val, Notifier* notifier);
 
-private:
-	friend class StateAccess;
-	void AccessPerformed(const StateAccess& sa);
+	// Inform all registered notifiiers of a modification to a value/ID.
+	void Modified(ID *id);
+	void Modified(Val *val);
 
-	typedef std::set<Notifier*> NotifierSet;
-	typedef std::map<std::string, NotifierSet*> NotifierMap;
-	NotifierMap ids;
+private:
+	typedef std::unordered_multimap<Val*, Notifier*> ValMap;
+	typedef std::unordered_multimap<ID*, Notifier*> IDMap;
+
+	ValMap vals;
+	IDMap ids;
 };
 
 extern NotifierRegistry notifiers;
diff --git a/src/Trigger.h b/src/Trigger.h
index 0f7889d19a..8dc478e049 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -61,9 +61,9 @@ public:
 		{ d->Add("<trigger>"); }
 	// Overidden from Notifier.  We queue the trigger and evaluate it
 	// later to avoid race conditions.
-	void Access(ID* id, const StateAccess& sa) override
+	void Modified(ID* id) override
 		{ QueueTrigger(this); }
-	void Access(Val* val, const StateAccess& sa) override
+	void Modified(Val* val) override
 		{ QueueTrigger(this); }
 
 	const char* Name() const override;

From 31ddca863cf352038914415cc1e64e056914c7b2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 03:11:00 +0000
Subject: [PATCH 40/91] Remove StateAccess class.

---
 src/DebugLogger.cc |   2 +-
 src/DebugLogger.h  |   3 +-
 src/ID.cc          |   2 +-
 src/StateAccess.cc | 532 ---------------------------------------------
 src/StateAccess.h  |  63 ------
 src/Val.cc         | 130 +----------
 src/Val.h          |  15 +-
 src/bro.bif        |  11 -
 8 files changed, 14 insertions(+), 744 deletions(-)

diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 8f0425270d..ed8b3e1e95 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -12,7 +12,7 @@ DebugLogger debug_logger;
 // Same order here as in DebugStream.
 DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "serial", 0, false }, { "rules", 0, false },
-	{ "state", 0, false }, {"string", 0, false },
+	{ "string", 0, false },
 	{ "notifiers", 0, false },  { "main-loop", 0, false },
 	{ "dpd", 0, false }, { "tm", 0, false },
 	{ "logging", 0, false }, {"input", 0, false },
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 2e24c7064f..0e2862dc23 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -16,9 +16,8 @@
 enum DebugStream {
 	DBG_SERIAL, // Serialization
 	DBG_RULES,	// Signature matching
-	DBG_STATE,	// StateAccess logging
 	DBG_STRING,	// String code
-	DBG_NOTIFIERS,	// Notifiers (see StateAccess.h)
+	DBG_NOTIFIERS,	// Notifiers
 	DBG_MAINLOOP,	// Main IOSource loop
 	DBG_ANALYZER,	// Analyzer framework
 	DBG_TM,		// Time-machine packet input via Brocolli
diff --git a/src/ID.cc b/src/ID.cc
index 12677bec75..915b5002b9 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -79,7 +79,7 @@ void ID::SetVal(Val* v, Opcode op, bool arg_weak_ref)
 #else
 		if ( debug_logger.IsVerbose() || props )
 #endif
-			StateAccess::Log(new StateAccess(op, this, v, val));
+			notifiers.Modified(this);
 		}
 
 	if ( ! weak_ref )
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index cc867468c8..853a8a7879 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -4,538 +4,6 @@
 #include "NetVar.h"
 #include "DebugLogger.h"
 
-int StateAccess::replaying = 0;
-
-StateAccess::StateAccess(Opcode arg_opcode,
-		const MutableVal* arg_target, const Val* arg_op1,
-		const Val* arg_op2, const Val* arg_op3)
-	{
-	opcode = arg_opcode;
-	target.val = const_cast<MutableVal*>(arg_target);
-	target_type = TYPE_MVAL;
-	op1.val = const_cast<Val*>(arg_op1);
-	op1_type = TYPE_VAL;
-	op2 = const_cast<Val*>(arg_op2);
-	op3 = const_cast<Val*>(arg_op3);
-	delete_op1_key = false;
-
-	RefThem();
-	}
-
-StateAccess::StateAccess(Opcode arg_opcode,
-		const ID* arg_target, const Val* arg_op1,
-		const Val* arg_op2, const Val* arg_op3)
-	{
-	opcode = arg_opcode;
-	target.id = const_cast<ID*>(arg_target);
-	target_type = TYPE_ID;
-	op1.val = const_cast<Val*>(arg_op1);
-	op1_type = TYPE_VAL;
-	op2 = const_cast<Val*>(arg_op2);
-	op3 = const_cast<Val*>(arg_op3);
-	delete_op1_key = false;
-
-	RefThem();
-	}
-
-StateAccess::StateAccess(Opcode arg_opcode,
-		const ID* arg_target, const HashKey* arg_op1,
-		const Val* arg_op2, const Val* arg_op3)
-	{
-	opcode = arg_opcode;
-	target.id = const_cast<ID*>(arg_target);
-	target_type = TYPE_ID;
-	op1.key = new HashKey(arg_op1->Key(), arg_op1->Size(), arg_op1->Hash());
-	op1_type = TYPE_KEY;
-	op2 = const_cast<Val*>(arg_op2);
-	op3 = const_cast<Val*>(arg_op3);
-	delete_op1_key = true;
-
-	RefThem();
-	}
-
-StateAccess::StateAccess(Opcode arg_opcode,
-		const MutableVal* arg_target, const HashKey* arg_op1,
-		const Val* arg_op2, const Val* arg_op3)
-	{
-	opcode = arg_opcode;
-	target.val = const_cast<MutableVal*>(arg_target);
-	target_type = TYPE_MVAL;
-	op1.key = new HashKey(arg_op1->Key(), arg_op1->Size(), arg_op1->Hash());
-	op1_type = TYPE_KEY;
-	op2 = const_cast<Val*>(arg_op2);
-	op3 = const_cast<Val*>(arg_op3);
-	delete_op1_key = true;
-
-	RefThem();
-	}
-
-StateAccess::StateAccess(const StateAccess& sa)
-	{
-	opcode = sa.opcode;
-	target_type = sa.target_type;
-	op1_type = sa.op1_type;
-	delete_op1_key = false;
-
-	if ( target_type == TYPE_ID )
-		target.id = sa.target.id;
-	else
-		target.val = sa.target.val;
-
-	if ( op1_type == TYPE_VAL )
-		op1.val = sa.op1.val;
-	else
-		{
-		// We need to copy the key as the pointer may not be
-		// valid anymore later.
-		op1.key = new HashKey(sa.op1.key->Key(), sa.op1.key->Size(),
-					sa.op1.key->Hash());
-		delete_op1_key = true;
-		}
-
-	op2 = sa.op2;
-	op3 = sa.op3;
-
-	RefThem();
-	}
-
-StateAccess::~StateAccess()
-	{
-	if ( target_type == TYPE_ID )
-		Unref(target.id);
-	else
-		Unref(target.val);
-
-	if ( op1_type == TYPE_VAL )
-		Unref(op1.val);
-	else if ( delete_op1_key )
-		delete op1.key;
-
-	Unref(op2);
-	Unref(op3);
-	}
-
-void StateAccess::RefThem()
-	{
-	if ( target_type == TYPE_ID )
-		Ref(target.id);
-	else
-		Ref(target.val);
-
-	if ( op1_type == TYPE_VAL && op1.val )
-		Ref(op1.val);
-
-	if ( op2 )
-		Ref(op2);
-	if ( op3 )
-		Ref(op3);
-	}
-
-static Val* GetInteger(bro_int_t n, TypeTag t)
-	{
-	if ( t == TYPE_INT )
-		return val_mgr->GetInt(n);
-
-	return val_mgr->GetCount(n);
-	}
-
-void StateAccess::Replay()
-	{
-	// For simplicity we assume that we only replay unserialized accesses.
-	assert(target_type == TYPE_ID && op1_type == TYPE_VAL);
-
-	if ( ! target.id )
-		return;
-
-	Val* v = target.id->ID_Val();
-	TypeTag t = v ? v->Type()->Tag() : TYPE_VOID;
-
-	if ( opcode != OP_ASSIGN && ! v )
-		{
-		// FIXME: I think this warrants an internal error,
-		// but let's check that first ...
-		// reporter->InternalError("replay id lacking a value");
-		reporter->Error("replay id lacks a value");
-		return;
-		}
-
-	++replaying;
-
-	switch ( opcode ) {
-	case OP_ASSIGN:
-		assert(op1.val);
-		// There mustn't be a direct assignment to a unique ID.
-		assert(target.id->Name()[0] != '#');
-
-		target.id->SetVal(op1.val->Ref());
-		break;
-
-	case OP_INCR:
-		if ( IsIntegral(t) )
-			{
-			assert(op1.val && op2);
-			// We derive the amount as difference between old
-			// and new value.
-			bro_int_t amount =
-				op1.val->CoerceToInt() - op2->CoerceToInt();
-
-			target.id->SetVal(GetInteger(v->CoerceToInt() + amount, t),
-						OP_INCR);
-			}
-		break;
-
-	case OP_ASSIGN_IDX:
-		assert(op1.val);
-
-		if ( t == TYPE_TABLE )
-			{
-			assert(op2);
-			v->AsTableVal()->Assign(op1.val, op2 ? op2->Ref() : 0);
-			}
-
-		else if ( t == TYPE_RECORD )
-			{
-			const char* field = op1.val->AsString()->CheckString();
-			int idx = v->Type()->AsRecordType()->FieldOffset(field);
-
-			if ( idx >= 0 )
-				v->AsRecordVal()->Assign(idx, op2 ? op2->Ref() : 0);
-			else
-				reporter->Error("access replay: unknown record field %s for assign", field);
-			}
-
-		else if ( t == TYPE_VECTOR )
-			{
-			assert(op2);
-			bro_uint_t index = op1.val->AsCount();
-			v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0);
-			}
-
-		else
-			reporter->InternalError("unknown type in replaying index assign");
-
-		break;
-
-	case OP_INCR_IDX:
-		{
-		assert(op1.val && op2 && op3);
-
-		// We derive the amount as the difference between old
-		// and new value.
-		bro_int_t amount = op2->CoerceToInt() - op3->CoerceToInt();
-
-		if ( t == TYPE_TABLE )
-			{
-			t = v->Type()->AsTableType()->YieldType()->Tag();
-			Val* lookup_op1 = v->AsTableVal()->Lookup(op1.val);
-			int delta = lookup_op1->CoerceToInt() + amount;
-			Val* new_val = GetInteger(delta, t);
-			v->AsTableVal()->Assign(op1.val, new_val, OP_INCR );
-			}
-
-		else if ( t == TYPE_RECORD )
-			{
-			const char* field = op1.val->AsString()->CheckString();
-			int idx = v->Type()->AsRecordType()->FieldOffset(field);
-			if ( idx >= 0 )
-				{
-				t = v->Type()->AsRecordType()->FieldType(idx)->Tag();
-				Val* lookup_field =
-					v->AsRecordVal()->Lookup(idx);
-				bro_int_t delta =
-					lookup_field->CoerceToInt() + amount;
-				Val* new_val = GetInteger(delta, t);
-				v->AsRecordVal()->Assign(idx, new_val, OP_INCR);
-				}
-			else
-				reporter->Error("access replay: unknown record field %s for assign", field);
-			}
-
-		else if ( t == TYPE_VECTOR )
-			{
-			bro_uint_t index = op1.val->AsCount();
-			t = v->Type()->AsVectorType()->YieldType()->Tag();
-			Val* lookup_op1 = v->AsVectorVal()->Lookup(index);
-			int delta = lookup_op1->CoerceToInt() + amount;
-			Val* new_val = GetInteger(delta, t);
-			v->AsVectorVal()->Assign(index, new_val);
-			}
-
-		else
-			reporter->InternalError("unknown type in replaying index increment");
-
-		break;
-		}
-
-	case OP_ADD:
-		assert(op1.val);
-		if ( t == TYPE_TABLE )
-			{
-			v->AsTableVal()->Assign(op1.val, 0);
-			}
-		break;
-
-	case OP_DEL:
-		assert(op1.val);
-		if ( t == TYPE_TABLE )
-			{
-			Unref(v->AsTableVal()->Delete(op1.val));
-			}
-		break;
-
-	case OP_EXPIRE:
-		assert(op1.val);
-		if ( t == TYPE_TABLE )
-			{
-			// No old check for expire.  It may have already
-			// been deleted by ourselves.  Furthermore, we
-			// ignore the expire_func's return value.
-			TableVal* tv = v->AsTableVal();
-			if ( tv->Lookup(op1.val, false) )
-				{
-				// We want to propagate state updates which
-				// are performed in the expire_func.
-				StateAccess::ResumeReplay();
-
-				tv->CallExpireFunc(op1.val->Ref());
-
-				StateAccess::SuspendReplay();
-
-				Unref(tv->AsTableVal()->Delete(op1.val));
-				}
-			}
-
-		break;
-
-	case OP_PRINT:
-		assert(op1.val);
-		reporter->InternalError("access replay for print not implemented");
-		break;
-
-	case OP_READ_IDX:
-		if ( t == TYPE_TABLE )
-			{
-			assert(op1.val);
-			TableVal* tv = v->AsTableVal();
-
-			// Update the timestamp if we have a read_expire.
-			if ( tv->FindAttr(ATTR_EXPIRE_READ) )
-				{
-				tv->UpdateTimestamp(op1.val);
-				}
-			}
-		else
-			reporter->Error("read for non-table");
-		break;
-
-	default:
-		reporter->InternalError("access replay: unknown opcode for StateAccess");
-		break;
-		}
-
-	--replaying;
-	}
-
-ID* StateAccess::Target() const
-	{
-	return target_type == TYPE_ID ? target.id : target.val->UniqueID();
-	}
-
-void StateAccess::Describe(ODesc* d) const
-	{
-	const ID* id;
-	const char* id_str = "";
-	const char* unique_str = "";
-
-	d->SetShort();
-
-	if ( target_type == TYPE_ID )
-		{
-		id = target.id;
-
-		if ( ! id )
-			{
-			d->Add("(unknown id)");
-			return;
-			}
-
-		id_str = id->Name();
-
-		if ( id->ID_Val() && id->ID_Val()->IsMutableVal() &&
-		     id->Name()[0] != '#' )
-			unique_str = fmt(" [id] (%s)", id->ID_Val()->AsMutableVal()->UniqueID()->Name());
-		}
-	else
-		{
-		id = target.val->UniqueID();
-
-#ifdef DEBUG
-		if ( target.val->GetID() )
-			{
-			id_str = target.val->GetID()->Name();
-			unique_str = fmt(" [val] (%s)", id->Name());
-			}
-		else
-#endif
-			id_str = id->Name();
-		}
-
-	const Val* op1 = op1_type == TYPE_VAL ?
-		this->op1.val :
-		id->ID_Val()->AsTableVal()->RecoverIndex(this->op1.key);
-
-	switch ( opcode ) {
-	case OP_ASSIGN:
-		assert(op1);
-		d->Add(id_str);
-		d->Add(" = ");
-		op1->Describe(d);
-		if ( op2 )
-			{
-			d->Add(" (");
-			op2->Describe(d);
-			d->Add(")");
-			}
-		d->Add(unique_str);
-		break;
-
-	case OP_INCR:
-		assert(op1 && op2);
-		d->Add(id_str);
-		d->Add(" += ");
-		d->Add(op1->CoerceToInt() - op2->CoerceToInt());
-		d->Add(unique_str);
-		break;
-
-	case OP_ASSIGN_IDX:
-		assert(op1);
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		d->Add(" = ");
-		if ( op2 )
-			op2->Describe(d);
-		else
-			d->Add("(null)");
-		if ( op3 )
-			{
-			d->Add(" (");
-			op3->Describe(d);
-			d->Add(")");
-			}
-		d->Add(unique_str);
-		break;
-
-	case OP_INCR_IDX:
-		assert(op1 && op2 && op3);
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		d->Add(" += ");
-		d->Add(op2->CoerceToInt() - op3->CoerceToInt());
-		d->Add(unique_str);
-		break;
-
-	case OP_ADD:
-		assert(op1);
-		d->Add("add ");
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		if ( op2 )
-			{
-			d->Add(" (");
-			op2->Describe(d);
-			d->Add(")");
-			}
-		d->Add(unique_str);
-		break;
-
-	case OP_DEL:
-		assert(op1);
-		d->Add("del ");
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		if ( op2 )
-			{
-			d->Add(" (");
-			op2->Describe(d);
-			d->Add(")");
-			}
-		d->Add(unique_str);
-		break;
-
-	case OP_EXPIRE:
-		assert(op1);
-		d->Add("expire ");
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		if ( op2 )
-			{
-			d->Add(" (");
-			op2->Describe(d);
-			d->Add(")");
-			}
-		d->Add(unique_str);
-		break;
-
-	case OP_PRINT:
-		assert(op1);
-		d->Add("print ");
-		d->Add(id_str);
-		op1->Describe(d);
-		d->Add(unique_str);
-		break;
-
-	case OP_READ_IDX:
-		assert(op1);
-		d->Add("read ");
-		d->Add(id_str);
-		d->Add("[");
-		op1->Describe(d);
-		d->Add("]");
-		break;
-
-	default:
-		reporter->InternalError("unknown opcode for StateAccess");
-		break;
-		}
-
-	if ( op1_type != TYPE_VAL )
-		Unref(const_cast<Val*>(op1));
-	}
-
-void StateAccess::Log(StateAccess* access)
-	{
-	if ( access->target_type == TYPE_ID )
-		{
-		if ( access->target.id->FindAttr(ATTR_TRACKED) )
-			notifiers.Modified(access->target.id);
-		}
-	else
-		{
-		if ( access->target.val->GetProperties() & MutableVal::TRACKED )
-			notifiers.Modified(access->target.val);
-		}
-
-#ifdef DEBUG
-	ODesc desc;
-	access->Describe(&desc);
-	DBG_LOG(DBG_STATE, "operation: %s%s",
-			desc.Description(), replaying > 0 ? " (replay)" : "");
-#endif
-
-	delete access;
-
-	}
-
 NotifierRegistry notifiers;
 
 NotifierRegistry::~NotifierRegistry()
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 86f1dbe88c..ac57d6d8f9 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -27,69 +27,6 @@ enum Opcode {	// Op1	Op2 Op3 (Vals)
 	OP_READ_IDX,	// idx
 };
 
-class StateAccess {
-public:
-	StateAccess(Opcode opcode, const ID* target, const Val* op1,
-			const Val* op2 = 0, const Val* op3 = 0);
-	StateAccess(Opcode opcode, const MutableVal* target, const Val* op1,
-			const Val* op2 = 0, const Val* op3 = 0);
-
-	// For tables, the idx operand may be given as an index HashKey.
-	// This is for efficiency. While we need to reconstruct the index
-	// if we are actually going to serialize the access, we can at
-	// least skip it if we don't.
-	StateAccess(Opcode opcode, const ID* target, const HashKey* op1,
-			const Val* op2 = 0, const Val* op3 = 0);
-	StateAccess(Opcode opcode, const MutableVal* target, const HashKey* op1,
-			const Val* op2 = 0, const Val* op3 = 0);
-
-	StateAccess(const StateAccess& sa);
-
-	virtual ~StateAccess();
-
-	// Replays this access in the our environment.
-	void Replay();
-
-	// Returns target ID which may be an internal one for unbound vals.
-	ID* Target() const;
-
-	void Describe(ODesc* d) const;
-
-	// Main entry point when StateAcesses are performed.
-	// For every state-changing operation, this has to be called.
-	static void Log(StateAccess* access);
-
-	// If we're going to make additional non-replaying accesses during a
-	// Replay(), we have to call these.
-	static void SuspendReplay()	{ --replaying; }
-	static void ResumeReplay()	{ ++replaying; }
-
-private:
-	StateAccess()	{ target.id = 0; op1.val = op2 = op3 = 0; }
-	void RefThem();
-
-	Opcode opcode;
-	union {
-		ID* id;
-		MutableVal* val;
-	} target;
-
-	union {
-		Val* val;
-		const HashKey* key;
-	} op1;
-
-	Val* op2;
-	Val* op3;
-
-	enum Type { TYPE_ID, TYPE_VAL, TYPE_MVAL, TYPE_KEY };
-	Type target_type;
-	Type op1_type;
-	bool delete_op1_key;
-
-	static int replaying;
-};
-
 // We provide a notifier framework to inform interested parties of
 // modifications to selected global IDs/Vals. To get notified about a change,
 // derive a class from Notifier and register the interesting IDs/Vals with
diff --git a/src/Val.cc b/src/Val.cc
index f0c0c031ed..61308bc3b5 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -438,8 +438,6 @@ ID* MutableVal::Bind() const
 		      "%u", ++id_counter);
 	name[MAX_NAME_SIZE-1] = '\0';
 
-//	DBG_LOG(DBG_STATE, "new unique ID %s", name);
-
 	id = new ID(name, SCOPE_GLOBAL, true);
 	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
 
@@ -457,8 +455,6 @@ void MutableVal::TransferUniqueID(MutableVal* mv)
 	if ( ! id )
 		Bind();
 
-	DBG_LOG(DBG_STATE, "transfering ID (new %s, old/alias %s)", new_name, id->Name());
-
 	// Keep old name as alias.
 	aliases.push_back(id);
 
@@ -1178,55 +1174,6 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 			subnets->Insert(index, new_entry_val);
 		}
 
-	if ( LoggingAccess() && op != OP_NONE )
-		{
-		Val* rec_index = 0;
-		if ( ! index )
-			index = rec_index = RecoverIndex(&k_copy);
-
-		if ( new_val )
-			{
-			// A table.
-			if ( new_val->IsMutableVal() )
-				new_val->AsMutableVal()->AddProperties(GetProperties());
-
-			bool unref_old_val = false;
-			Val* old_val = old_entry_val ?
-					old_entry_val->Value() : 0;
-			if ( op == OP_INCR && ! old_val )
-				// If it's an increment, somebody has already
-				// checked that the index is there.  If it's
-				// not, that can only be due to using the
-				// default.
-				{
-				old_val = Default(index);
-				unref_old_val = true;
-				}
-
-			assert(op != OP_INCR || old_val);
-
-			StateAccess::Log(
-				new StateAccess(
-					op == OP_INCR ?
-						OP_INCR_IDX : OP_ASSIGN_IDX,
-					this, index, new_val, old_val));
-
-			if ( unref_old_val )
-				Unref(old_val);
-			}
-
-		else
-			{
-			// A set.
-			StateAccess::Log(
-				new StateAccess(OP_ADD, this,
-						index, 0, 0));
-			}
-
-		if ( rec_index )
-			Unref(rec_index);
-		}
-
 	// Keep old expiration time if necessary.
 	if ( old_entry_val && attrs && attrs->FindAttr(ATTR_EXPIRE_CREATE) )
 		new_entry_val->SetExpireAccess(old_entry_val->ExpireAccessTime());
@@ -1237,6 +1184,7 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		delete old_entry_val;
 		}
 
+	Modified();
 	return 1;
 	}
 
@@ -1556,11 +1504,7 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 		if ( v )
 			{
 			if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
-					{
 					v->SetExpireAccess(network_time);
-					if ( LoggingAccess() && ExpirationEnabled() )
-						ReadOperation(index, v);
-					}
 
 			return v->Value() ? v->Value() : this;
 			}
@@ -1587,11 +1531,7 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 			if ( v )
 				{
 				if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
-					{
 					v->SetExpireAccess(network_time);
-					if ( LoggingAccess() && ExpirationEnabled() )
-						ReadOperation(index, v);
-					}
 
 				return v->Value() ? v->Value() : this;
 				}
@@ -1645,11 +1585,7 @@ TableVal* TableVal::LookupSubnetValues(const SubNetVal* search)
 		if ( entry )
 			{
 			if ( attrs && attrs->FindAttr(ATTR_EXPIRE_READ) )
-				{
 				entry->SetExpireAccess(network_time);
-				if ( LoggingAccess() && ExpirationEnabled() )
-					ReadOperation(s, entry);
-				}
 			}
 
 		Unref(s); // assign does not consume index
@@ -1679,8 +1615,6 @@ bool TableVal::UpdateTimestamp(Val* index)
 		return false;
 
 	v->SetExpireAccess(network_time);
-	if ( LoggingAccess() && attrs->FindAttr(ATTR_EXPIRE_READ) )
-		ReadOperation(index, v);
 
 	return true;
 	}
@@ -1699,25 +1633,10 @@ Val* TableVal::Delete(const Val* index)
 	if ( subnets && ! subnets->Remove(index) )
 		reporter->InternalWarning("index not in prefix table");
 
-	if ( LoggingAccess() )
-		{
-		if ( v )
-			{
-			// A set.
-			Val* has_old_val = val_mgr->GetInt(1);
-			StateAccess::Log(
-				new StateAccess(OP_DEL, this, index,
-						has_old_val));
-			Unref(has_old_val);
-			}
-		else
-			StateAccess::Log(
-				new StateAccess(OP_DEL, this, index, 0));
-		}
-
 	delete k;
 	delete v;
 
+	Modified();
 	return va;
 	}
 
@@ -1736,9 +1655,7 @@ Val* TableVal::Delete(const HashKey* k)
 
 	delete v;
 
-	if ( LoggingAccess() )
-		StateAccess::Log(new StateAccess(OP_DEL, this, k));
-
+	Modified();
 	return va;
 	}
 
@@ -1949,6 +1866,7 @@ void TableVal::DoExpire(double t)
 	HashKey* k = 0;
 	TableEntryVal* v = 0;
 	TableEntryVal* v_saved = 0;
+	bool modified = false;
 
 	for ( int i = 0; i < table_incremental_step &&
 			 (v = tbl->NextEntry(k, expire_cookie)); ++i )
@@ -2001,18 +1919,18 @@ void TableVal::DoExpire(double t)
 				Unref(index);
 				}
 
-			if ( LoggingAccess() )
-				StateAccess::Log(
-					new StateAccess(OP_EXPIRE, this, k));
-
 			tbl->RemoveEntry(k);
 			Unref(v->Value());
 			delete v;
+			modified = true;
 			}
 
 		delete k;
 		}
 
+	if ( modified )
+		Modified();
+
 	if ( ! v )
 		{
 		expire_cookie = 0;
@@ -2124,10 +2042,7 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
 	// practical issues such as latency, we send one update every half
 	// &read_expire.
 	if ( network_time - v->LastReadUpdate() > timeout / 2 )
-		{
-		StateAccess::Log(new StateAccess(OP_READ_IDX, this, index));
 		v->SetLastReadUpdate(network_time);
-		}
 	}
 
 Val* TableVal::DoClone(CloneState* state)
@@ -2307,21 +2222,8 @@ RecordVal::~RecordVal()
 void RecordVal::Assign(int field, Val* new_val, Opcode op)
 	{
 	Val* old_val = AsNonConstRecord()->replace(field, new_val);
-
-	if ( LoggingAccess() && op != OP_NONE )
-		{
-		if ( new_val && new_val->IsMutableVal() )
-			new_val->AsMutableVal()->AddProperties(GetProperties());
-
-		StringVal* index = new StringVal(Type()->AsRecordType()->FieldName(field));
-		StateAccess::Log(
-			new StateAccess(
-				op == OP_INCR ? OP_INCR_IDX : OP_ASSIGN_IDX,
-				this, index, new_val, old_val));
-		Unref(index); // The logging may keep a cached copy.
-		}
-
 	Unref(old_val);
+	Modified();
 	}
 
 Val* RecordVal::Lookup(int field) const
@@ -2627,19 +2529,6 @@ bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
 	else
 		val.vector_val->resize(index + 1);
 
-	if ( LoggingAccess() && op != OP_NONE )
-		{
-		if ( element->IsMutableVal() )
-			element->AsMutableVal()->AddProperties(GetProperties());
-
-		Val* ival = val_mgr->GetCount(index);
-
-		StateAccess::Log(new StateAccess(op == OP_INCR ?
-				OP_INCR_IDX : OP_ASSIGN_IDX,
-				this, ival, element, val_at_index));
-		Unref(ival);
-		}
-
 	Unref(val_at_index);
 
 	// Note: we do *not* Ref() the element, if any, at this point.
@@ -2647,6 +2536,7 @@ bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
 	// to do it similarly.
 	(*val.vector_val)[index] = element;
 
+	Modified();
 	return true;
 	}
 
diff --git a/src/Val.h b/src/Val.h
index 59fef19ac0..2eddac8cb7 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -51,8 +51,6 @@ class StringVal;
 class EnumVal;
 class MutableVal;
 
-class StateAccess;
-
 class VectorVal;
 
 class TableEntryVal;
@@ -532,17 +530,6 @@ public:
 	virtual bool AddProperties(Properties state);
 	virtual bool RemoveProperties(Properties state);
 
-	// Whether StateAccess:LogAccess needs to be called.
-	bool LoggingAccess() const
-		{
-#ifndef DEBUG
-		return props & TRACKED;
-#else
-		return debug_logger.IsVerbose() ||
-			(props & TRACKED);
-#endif
-		}
-
 protected:
 	explicit MutableVal(BroType* t) : Val(t)
 		{ props = 0; id = 0; }
@@ -553,6 +540,7 @@ protected:
 	friend class Val;
 
 	void SetID(ID* arg_id)	{ Unref(id); id = arg_id; }
+	void Modified()	{ notifiers.Modified(this); }
 
 private:
 	ID* Bind() const;
@@ -957,7 +945,6 @@ public:
 
 protected:
 	friend class Val;
-	friend class StateAccess;
 	TableVal()	{}
 
 	void Init(TableType* t);
diff --git a/src/bro.bif b/src/bro.bif
index 3a082bcc5f..47b713e4e1 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1843,17 +1843,6 @@ function global_ids%(%): id_table
 	TableVal* ids = new TableVal(id_table);
 	PDict(ID)* globals = global_scope()->Vars();
 	IterCookie* c = globals->InitForIteration();
-#ifdef DEBUG
-  /**
-	 * Explanation time: c needs to be a robust cookie when one is in debug mode,
-	 * otherwise the Zeek process will crash in ~80% of cases when -B all is specified.
-	 * The reason for this are the RecordVals that we create. RecordVal::Assign triggers
-	 * a StateAccess::Log, which in turn (only in debug mode) triggers StateAccess::Describe,
-	 * which creates a UniqueID for the variable, which triggers an insert into global_scope.
-	 * Which invalidates the iteration cookie if it is not robust.
-	 **/
-	globals->MakeRobustCookie(c);
-#endif
 
 	ID* id;
 	while ( (id = globals->NextEntry(c)) )

From 0ba382280c393a40672b88e00c7d9d594d31cd83 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 03:24:13 +0000
Subject: [PATCH 41/91] Remove enum Opcode.

---
 src/Expr.cc       | 34 +++++++++++++++++-----------------
 src/Expr.h        | 12 ++++++------
 src/ID.cc         | 24 ++----------------------
 src/ID.h          |  2 +-
 src/Op.h          | 23 -----------------------
 src/StateAccess.h | 13 -------------
 src/Val.cc        | 24 +++++++++++-------------
 src/Val.h         | 14 +++++++-------
 8 files changed, 44 insertions(+), 102 deletions(-)
 delete mode 100644 src/Op.h

diff --git a/src/Expr.cc b/src/Expr.cc
index ef4d5af6e6..32cef7b0e1 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -97,7 +97,7 @@ void Expr::EvalIntoAggregate(const BroType* /* t */, Val* /* aggr */,
 	Internal("Expr::EvalIntoAggregate called");
 	}
 
-void Expr::Assign(Frame* /* f */, Val* /* v */, Opcode /* op */)
+void Expr::Assign(Frame* /* f */, Val* /* v */)
 	{
 	Internal("Expr::Assign called");
 	}
@@ -261,10 +261,10 @@ Expr* NameExpr::MakeLvalue()
 	return new RefExpr(this);
 	}
 
-void NameExpr::Assign(Frame* f, Val* v, Opcode op)
+void NameExpr::Assign(Frame* f, Val* v)
 	{
 	if ( id->IsGlobal() )
-		id->SetVal(v, op);
+		id->SetVal(v);
 	else
 		f->SetElement(id->Offset(), v);
 	}
@@ -1007,18 +1007,18 @@ Val* IncrExpr::Eval(Frame* f) const
 			if ( elt )
 				{
 				Val* new_elt = DoSingleEval(f, elt);
-				v_vec->Assign(i, new_elt, OP_INCR);
+				v_vec->Assign(i, new_elt);
 				}
 			else
-				v_vec->Assign(i, 0, OP_INCR);
+				v_vec->Assign(i, 0);
 			}
-		op->Assign(f, v_vec, OP_INCR);
+		op->Assign(f, v_vec);
 		}
 
 	else
 		{
 		Val* old_v = v;
-		op->Assign(f, v = DoSingleEval(f, old_v), OP_INCR);
+		op->Assign(f, v = DoSingleEval(f, old_v));
 		Unref(old_v);
 		}
 
@@ -2041,9 +2041,9 @@ Expr* RefExpr::MakeLvalue()
 	return this;
 	}
 
-void RefExpr::Assign(Frame* f, Val* v, Opcode opcode)
+void RefExpr::Assign(Frame* f, Val* v)
 	{
-	op->Assign(f, v, opcode);
+	op->Assign(f, v);
 	}
 
 AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
@@ -2684,7 +2684,7 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 	return 0;
 	}
 
-void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
+void IndexExpr::Assign(Frame* f, Val* v)
 	{
 	if ( IsError() )
 		return;
@@ -2704,7 +2704,7 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 
 	switch ( v1->Type()->Tag() ) {
 	case TYPE_VECTOR:
-		if ( ! v1->AsVectorVal()->Assign(v2, v, op) )
+		if ( ! v1->AsVectorVal()->Assign(v2, v) )
 			{
 			if ( v )
 				{
@@ -2723,7 +2723,7 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 		break;
 
 	case TYPE_TABLE:
-		if ( ! v1->AsTableVal()->Assign(v2, v, op) )
+		if ( ! v1->AsTableVal()->Assign(v2, v) )
 			{
 			if ( v )
 				{
@@ -2826,7 +2826,7 @@ int FieldExpr::CanDel() const
 	return td->FindAttr(ATTR_DEFAULT) || td->FindAttr(ATTR_OPTIONAL);
 	}
 
-void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
+void FieldExpr::Assign(Frame* f, Val* v)
 	{
 	if ( IsError() )
 		return;
@@ -2835,14 +2835,14 @@ void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
 	if ( op_v )
 		{
 		RecordVal* r = op_v->AsRecordVal();
-		r->Assign(field, v, opcode);
+		r->Assign(field, v);
 		Unref(r);
 		}
 	}
 
 void FieldExpr::Delete(Frame* f)
 	{
-	Assign(f, 0, OP_ASSIGN_IDX);
+	Assign(f, 0);
 	}
 
 Val* FieldExpr::Fold(Val* v) const
@@ -4635,7 +4635,7 @@ Expr* ListExpr::MakeLvalue()
 	return new RefExpr(this);
 	}
 
-void ListExpr::Assign(Frame* f, Val* v, Opcode op)
+void ListExpr::Assign(Frame* f, Val* v)
 	{
 	ListVal* lv = v->AsListVal();
 
@@ -4643,7 +4643,7 @@ void ListExpr::Assign(Frame* f, Val* v, Opcode op)
 		RuntimeError("mismatch in list lengths");
 
 	loop_over_list(exprs, i)
-		exprs[i]->Assign(f, (*lv->Vals())[i]->Ref(), op);
+		exprs[i]->Assign(f, (*lv->Vals())[i]->Ref());
 
 	Unref(lv);
 	}
diff --git a/src/Expr.h b/src/Expr.h
index 6c9ac5e18f..f146162b04 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -84,7 +84,7 @@ public:
 			const;
 
 	// Assign to the given value, if appropriate.
-	virtual void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	virtual void Assign(Frame* f, Val* v);
 
 	// Returns the type corresponding to this expression interpreted
 	// as an initialization.  The type should be Unref()'d when done
@@ -225,7 +225,7 @@ public:
 	ID* Id() const		{ return id; }
 
 	Val* Eval(Frame* f) const override;
-	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
+	void Assign(Frame* f, Val* v) override;
 	Expr* MakeLvalue() override;
 	int IsPure() const override;
 
@@ -572,7 +572,7 @@ class RefExpr : public UnaryExpr {
 public:
 	explicit RefExpr(Expr* op);
 
-	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
+	void Assign(Frame* f, Val* v) override;
 	Expr* MakeLvalue() override;
 
 protected:
@@ -615,7 +615,7 @@ public:
 	void Add(Frame* f) override;
 	void Delete(Frame* f) override;
 
-	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
+	void Assign(Frame* f, Val* v) override;
 	Expr* MakeLvalue() override;
 
 	// Need to override Eval since it can take a vector arg but does
@@ -643,7 +643,7 @@ public:
 
 	int CanDel() const override;
 
-	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
+	void Assign(Frame* f, Val* v) override;
 	void Delete(Frame* f) override;
 
 	Expr* MakeLvalue() override;
@@ -963,7 +963,7 @@ public:
 	BroType* InitType() const override;
 	Val* InitVal(const BroType* t, Val* aggr) const override;
 	Expr* MakeLvalue() override;
-	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
+	void Assign(Frame* f, Val* v) override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
diff --git a/src/ID.cc b/src/ID.cc
index 915b5002b9..29a9a5a98a 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -59,34 +59,14 @@ void ID::ClearVal()
 	val = 0;
 	}
 
-void ID::SetVal(Val* v, Opcode op, bool arg_weak_ref)
+void ID::SetVal(Val* v, bool arg_weak_ref)
 	{
-	if ( op != OP_NONE )
-		{
-		MutableVal::Properties props = 0;
-
-		if ( attrs && attrs->FindAttr(ATTR_TRACKED) )
-			props |= MutableVal::TRACKED;
-
-		if ( props )
-			{
-			if ( v->IsMutableVal() )
-				v->AsMutableVal()->AddProperties(props);
-			}
-
-#ifndef DEBUG
-		if ( props )
-#else
-		if ( debug_logger.IsVerbose() || props )
-#endif
-			notifiers.Modified(this);
-		}
-
 	if ( ! weak_ref )
 		Unref(val);
 
 	val = v;
 	weak_ref = arg_weak_ref;
+	notifiers.Modified(this);
 
 #ifdef DEBUG
 	UpdateValID();
diff --git a/src/ID.h b/src/ID.h
index bb9e11ca06..7717a584f3 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -46,7 +46,7 @@ public:
 	// reference to the Val, the Val will be destroyed (naturally,
 	// you have to take care that it will not be accessed via
 	// the ID afterwards).
-	void SetVal(Val* v, Opcode op = OP_ASSIGN, bool weak_ref = false);
+	void SetVal(Val* v, bool weak_ref = false);
 
 	void SetVal(Val* v, init_class c);
 	void SetVal(Expr* ev, init_class c);
diff --git a/src/Op.h b/src/Op.h
deleted file mode 100644
index a628a6bb68..0000000000
--- a/src/Op.h
+++ /dev/null
@@ -1,23 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef op_h
-#define op_h
-
-// BRO operations.
-
-typedef enum {
-	OP_INCR, OP_DECR, OP_NOT, OP_NEGATE,
-	OP_PLUS, OP_MINUS, OP_TIMES, OP_DIVIDE, OP_MOD,
-	OP_AND, OP_OR,
-	OP_LT, OP_LE, OP_EQ, OP_NE, OP_GE, OP_GT,
-	OP_MATCH,
-	OP_ASSIGN,
-	OP_INDEX, OP_FIELD,
-	OP_IN,
-	OP_LIST,
-	OP_CALL,
-	OP_SCHED,
-	OP_NAME, OP_CONST, OP_THIS
-} BroOP;
-
-#endif
diff --git a/src/StateAccess.h b/src/StateAccess.h
index ac57d6d8f9..528e3357d5 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -14,19 +14,6 @@ class HashKey;
 class ODesc;
 class TableVal;
 
-enum Opcode {	// Op1	Op2 Op3 (Vals)
-	OP_NONE,
-	OP_ASSIGN,	// new	old
-	OP_ASSIGN_IDX,	// idx new  old
-	OP_ADD,		// idx  old
-	OP_INCR,	// idx  new old
-	OP_INCR_IDX,	// idx  new old
-	OP_DEL,		// idx  old
-	OP_PRINT,	// args
-	OP_EXPIRE,	// idx
-	OP_READ_IDX,	// idx
-};
-
 // We provide a notifier framework to inform interested parties of
 // modifications to selected global IDs/Vals. To get notified about a change,
 // derive a class from Notifier and register the interesting IDs/Vals with
diff --git a/src/Val.cc b/src/Val.cc
index 61308bc3b5..75f6f9134d 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -443,7 +443,7 @@ ID* MutableVal::Bind() const
 
 	global_scope()->Insert(name, id);
 
-	id->SetVal(const_cast<MutableVal*>(this), OP_NONE, true);
+	id->SetVal(const_cast<MutableVal*>(this), true);
 
 	return id;
 	}
@@ -461,7 +461,7 @@ void MutableVal::TransferUniqueID(MutableVal* mv)
 	id = new ID(new_name, SCOPE_GLOBAL, true);
 	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
 	global_scope()->Insert(new_name, id);
-	id->SetVal(const_cast<MutableVal*>(this), OP_NONE, true);
+	id->SetVal(const_cast<MutableVal*>(this), true);
 
 	Unref(mv->id);
 	mv->id = 0;
@@ -1132,7 +1132,7 @@ void TableVal::CheckExpireAttr(attr_tag at)
 		}
 	}
 
-int TableVal::Assign(Val* index, Val* new_val, Opcode op)
+int TableVal::Assign(Val* index, Val* new_val)
 	{
 	HashKey* k = ComputeHash(index);
 	if ( ! k )
@@ -1142,10 +1142,10 @@ int TableVal::Assign(Val* index, Val* new_val, Opcode op)
 		return 0;
 		}
 
-	return Assign(index, k, new_val, op);
+	return Assign(index, k, new_val);
 	}
 
-int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
+int TableVal::Assign(Val* index, HashKey* k, Val* new_val)
 	{
 	int is_set = table_type->IsSet();
 
@@ -1227,15 +1227,13 @@ int TableVal::AddTo(Val* val, int is_first_init, bool propagate_ops) const
 
 		if ( type->IsSet() )
 			{
-			if ( ! t->Assign(v->Value(), k, 0,
-					propagate_ops ? OP_ASSIGN : OP_NONE) )
+			if ( ! t->Assign(v->Value(), k, 0) )
 				 return 0;
 			}
 		else
 			{
 			v->Ref();
-			if ( ! t->Assign(0, k, v->Value(),
-					propagate_ops ? OP_ASSIGN : OP_NONE) )
+			if ( ! t->Assign(0, k, v->Value()) )
 				 return 0;
 			}
 		}
@@ -1822,7 +1820,7 @@ int TableVal::ExpandCompoundAndInit(val_list* vl, int k, Val* new_val)
 	return 1;
 	}
 
-int TableVal::CheckAndAssign(Val* index, Val* new_val, Opcode op)
+int TableVal::CheckAndAssign(Val* index, Val* new_val)
 	{
 	Val* v = 0;
 	if ( subnets )
@@ -1834,7 +1832,7 @@ int TableVal::CheckAndAssign(Val* index, Val* new_val, Opcode op)
 	if ( v )
 		index->Warn("multiple initializations for index");
 
-	return Assign(index, new_val, op);
+	return Assign(index, new_val);
 	}
 
 void TableVal::InitTimer(double delay)
@@ -2219,7 +2217,7 @@ RecordVal::~RecordVal()
 	delete_vals(AsNonConstRecord());
 	}
 
-void RecordVal::Assign(int field, Val* new_val, Opcode op)
+void RecordVal::Assign(int field, Val* new_val)
 	{
 	Val* old_val = AsNonConstRecord()->replace(field, new_val);
 	Unref(old_val);
@@ -2513,7 +2511,7 @@ VectorVal::~VectorVal()
 	delete val.vector_val;
 	}
 
-bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
+bool VectorVal::Assign(unsigned int index, Val* element)
 	{
 	if ( element &&
 	     ! same_type(element->Type(), vector_type->YieldType(), 0) )
diff --git a/src/Val.h b/src/Val.h
index 2eddac8cb7..08038a686b 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -840,8 +840,8 @@ public:
 	// version takes a HashKey and Unref()'s it when done. If we're a
 	// set, new_val has to be nil. If we aren't a set, index may be nil
 	// in the second version.
-	int Assign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
-	int Assign(Val* index, HashKey* k, Val* new_val, Opcode op = OP_ASSIGN);
+	int Assign(Val* index, Val* new_val);
+	int Assign(Val* index, HashKey* k, Val* new_val);
 
 	Val* SizeVal() const override	{ return val_mgr->GetCount(Size()); }
 
@@ -951,7 +951,7 @@ protected:
 
 	void CheckExpireAttr(attr_tag at);
 	int ExpandCompoundAndInit(val_list* vl, int k, Val* new_val);
-	int CheckAndAssign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
+	int CheckAndAssign(Val* index, Val* new_val);
 
 	bool AddProperties(Properties arg_state) override;
 	bool RemoveProperties(Properties arg_state) override;
@@ -995,7 +995,7 @@ public:
 	Val* SizeVal() const override
 		{ return val_mgr->GetCount(record_type->NumFields()); }
 
-	void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
+	void Assign(int field, Val* new_val);
 	Val* Lookup(int field) const;	// Does not Ref() value.
 	Val* LookupWithDefault(int field) const;	// Does Ref() value.
 
@@ -1095,11 +1095,11 @@ public:
 	// Note: does NOT Ref() the element! Remember to do so unless
 	//       the element was just created and thus has refcount 1.
 	//
-	bool Assign(unsigned int index, Val* element, Opcode op = OP_ASSIGN);
-	bool Assign(Val* index, Val* element, Opcode op = OP_ASSIGN)
+	bool Assign(unsigned int index, Val* element);
+	bool Assign(Val* index, Val* element)
 		{
 		return Assign(index->AsListVal()->Index(0)->CoerceToUnsigned(),
-				element, op);
+				element);
 		}
 
 	// Assigns the value to how_many locations starting at index.

From f8262b65c42aacdf4234b61e80d27726768956b4 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 03:28:12 +0000
Subject: [PATCH 42/91] Remove most of MutableVal (but not the class itelf yet)

---
 src/ID.cc  |  20 -----
 src/Val.cc | 239 -----------------------------------------------------
 src/Val.h  |  91 ++------------------
 3 files changed, 7 insertions(+), 343 deletions(-)

diff --git a/src/ID.cc b/src/ID.cc
index 29a9a5a98a..582c8fcf8e 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -155,16 +155,6 @@ void ID::UpdateValAttrs()
 	if ( ! attrs )
 		return;
 
-	MutableVal::Properties props = 0;
-
-	if ( val && val->IsMutableVal() )
-		{
-		if ( attrs->FindAttr(ATTR_TRACKED) )
-			props |= MutableVal::TRACKED;
-
-		val->AsMutableVal()->AddProperties(props);
-		}
-
 	if ( val && val->Type()->Tag() == TYPE_TABLE )
 		val->AsTableVal()->SetAttrs(attrs);
 
@@ -222,16 +212,6 @@ void ID::RemoveAttr(attr_tag a)
 	{
 	if ( attrs )
 		attrs->RemoveAttr(a);
-
-	if ( val && val->IsMutableVal() )
-		{
-		MutableVal::Properties props = 0;
-
-		if ( a == ATTR_TRACKED )
-			props |= MutableVal::TRACKED;
-
-		val->AsMutableVal()->RemoveProperties(props);
-		}
 	}
 
 void ID::SetOption()
diff --git a/src/Val.cc b/src/Val.cc
index 75f6f9134d..4ba2ea6dd7 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -351,120 +351,6 @@ void Val::ValDescribeReST(ODesc* d) const
 
 MutableVal::~MutableVal()
 	{
-	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
-		{
-		if ( global_scope() )
-			global_scope()->Remove((*i)->Name());
-		(*i)->ClearVal();	// just to make sure.
-		Unref((*i));
-		}
-
-	if ( id )
-		{
-		if ( global_scope() )
-			global_scope()->Remove(id->Name());
-		id->ClearVal(); // just to make sure.
-		Unref(id);
-		}
-	}
-
-bool MutableVal::AddProperties(Properties arg_props)
-	{
-	if ( (props | arg_props) == props )
-		// No change.
-		return false;
-
-	props |= arg_props;
-
-	if ( ! id )
-		Bind();
-
-	return true;
-	}
-
-
-bool MutableVal::RemoveProperties(Properties arg_props)
-	{
-	if ( (props & ~arg_props) == props )
-		// No change.
-		return false;
-
-	props &= ~arg_props;
-
-	return true;
-	}
-
-ID* MutableVal::Bind() const
-	{
-	static bool initialized = false;
-
-	assert(!id);
-
-	static unsigned int id_counter = 0;
-	static const int MAX_NAME_SIZE = 128;
-	static char name[MAX_NAME_SIZE];
-	static char* end_of_static_str = 0;
-
-	if ( ! initialized )
-		{
-		// Get local IP.
-		char host[MAXHOSTNAMELEN];
-		strcpy(host, "localhost");
-		gethostname(host, MAXHOSTNAMELEN);
-		host[MAXHOSTNAMELEN-1] = '\0';
-#if 0
-		// We ignore errors.
-		struct hostent* ent = gethostbyname(host);
-
-		uint32 ip;
-		if ( ent && ent->h_addr_list[0] )
-			ip = *(uint32*) ent->h_addr_list[0];
-		else
-			ip = htonl(0x7f000001);	// 127.0.0.1
-
-		safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#",
-			      IPAddr(IPv4, &ip, IPAddr::Network)->AsString().c_str(),
-			      getpid());
-#else
-		safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#", host, getpid());
-#endif
-
-		end_of_static_str = name + strlen(name);
-
-		initialized = true;
-		}
-
-	safe_snprintf(end_of_static_str, MAX_NAME_SIZE - (end_of_static_str - name),
-		      "%u", ++id_counter);
-	name[MAX_NAME_SIZE-1] = '\0';
-
-	id = new ID(name, SCOPE_GLOBAL, true);
-	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
-
-	global_scope()->Insert(name, id);
-
-	id->SetVal(const_cast<MutableVal*>(this), true);
-
-	return id;
-	}
-
-void MutableVal::TransferUniqueID(MutableVal* mv)
-	{
-	const char* new_name = mv->UniqueID()->Name();
-
-	if ( ! id )
-		Bind();
-
-	// Keep old name as alias.
-	aliases.push_back(id);
-
-	id = new ID(new_name, SCOPE_GLOBAL, true);
-	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
-	global_scope()->Insert(new_name, id);
-	id->SetVal(const_cast<MutableVal*>(this), true);
-
-	Unref(mv->id);
-	mv->id = 0;
 	}
 
 IntervalVal::IntervalVal(double quantity, double units) :
@@ -2026,23 +1912,6 @@ double TableVal::CallExpireFunc(Val* idx)
 	return secs;
 	}
 
-void TableVal::ReadOperation(Val* index, TableEntryVal* v)
-	{
-	double timeout = GetExpireTime();
-
-	if ( timeout < 0 )
-		// Skip in case of unset/invalid expiration value. If it's an
-		// error, it has been reported already.
-		return;
-
-	// In theory we need to only propagate one update per &read_expire
-	// interval to prevent peers from expiring intervals. To account for
-	// practical issues such as latency, we send one update every half
-	// &read_expire.
-	if ( network_time - v->LastReadUpdate() > timeout / 2 )
-		v->SetLastReadUpdate(network_time);
-	}
-
 Val* TableVal::DoClone(CloneState* state)
 	{
 	auto tv = new TableVal(table_type);
@@ -2092,48 +1961,6 @@ Val* TableVal::DoClone(CloneState* state)
 	return tv;
 	}
 
-bool TableVal::AddProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::AddProperties(arg_props) )
-		return false;
-
-	if ( Type()->IsSet() || ! RecursiveProps(arg_props) )
-		return true;
-
-	// For a large table, this could get expensive. So, let's hope
-	// that nobody creates such a table *before* making it persistent
-	// (for example by inserting it into another table).
-	TableEntryVal* v;
-	PDict(TableEntryVal)* tbl = val.table_val;
-	IterCookie* c = tbl->InitForIteration();
-	while ( (v = tbl->NextEntry(c)) )
-		if ( v->Value()->IsMutableVal() )
-			v->Value()->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
-
-	return true;
-	}
-
-bool TableVal::RemoveProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::RemoveProperties(arg_props) )
-		return false;
-
-	if ( Type()->IsSet() || ! RecursiveProps(arg_props) )
-		return true;
-
-	// For a large table, this could get expensive.  So, let's hope
-	// that nobody creates such a table *before* making it persistent
-	// (for example by inserting it into another table).
-	TableEntryVal* v;
-	PDict(TableEntryVal)* tbl = val.table_val;
-	IterCookie* c = tbl->InitForIteration();
-	while ( (v = tbl->NextEntry(c)) )
-		if ( v->Value()->IsMutableVal() )
-			v->Value()->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
-
-	return true;
-	}
-
 unsigned int TableVal::MemoryAllocation() const
 	{
 	unsigned int size = 0;
@@ -2428,41 +2255,6 @@ Val* RecordVal::DoClone(CloneState* state)
 	return rv;
 	}
 
-bool RecordVal::AddProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::AddProperties(arg_props) )
-		return false;
-
-	if ( ! RecursiveProps(arg_props) )
-		return true;
-
-	loop_over_list(*val.val_list_val, i)
-		{
-		Val* v = (*val.val_list_val)[i];
-		if ( v && v->IsMutableVal() )
-			v->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
-		}
-	return true;
-	}
-
-
-bool RecordVal::RemoveProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::RemoveProperties(arg_props) )
-		return false;
-
-	if ( ! RecursiveProps(arg_props) )
-		return true;
-
-	loop_over_list(*val.val_list_val, i)
-		{
-		Val* v = (*val.val_list_val)[i];
-		if ( v && v->IsMutableVal() )
-			v->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
-		}
-	return true;
-	}
-
 unsigned int RecordVal::MemoryAllocation() const
 	{
 	unsigned int size = 0;
@@ -2599,37 +2391,6 @@ unsigned int VectorVal::ResizeAtLeast(unsigned int new_num_elements)
 	 return Resize(new_num_elements);
 	 }
 
-bool VectorVal::AddProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::AddProperties(arg_props) )
-		return false;
-
-	if ( ! RecursiveProps(arg_props) )
-		return true;
-
-	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
-		if ( (*val.vector_val)[i]->IsMutableVal() )
-			(*val.vector_val)[i]->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
-
-	return true;
-	}
-
-bool VectorVal::RemoveProperties(Properties arg_props)
-	{
-	if ( ! MutableVal::RemoveProperties(arg_props) )
-		return false;
-
-	if ( ! RecursiveProps(arg_props) )
-		return true;
-
-	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
-		if ( (*val.vector_val)[i]->IsMutableVal() )
-			(*val.vector_val)[i]->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
-
-	return true;
-	}
-
-
 Val* VectorVal::DoClone(CloneState* state)
 	{
 	auto vv = new VectorVal(vector_type);
diff --git a/src/Val.h b/src/Val.h
index 08038a686b..48f456fa17 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -325,20 +325,6 @@ public:
 		return IsMutable(type->Tag());
 		}
 
-	const MutableVal* AsMutableVal() const
-		{
-		if ( ! IsMutableVal() )
-			BadTag("Val::AsMutableVal", type_name(type->Tag()));
-		return (MutableVal*) this;
-		}
-
-	MutableVal* AsMutableVal()
-		{
-		if ( ! IsMutableVal() )
-			BadTag("Val::AsMutableVal", type_name(type->Tag()));
-		return (MutableVal*) this;
-		}
-
 	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d) const;
 
@@ -499,56 +485,13 @@ private:
 extern ValManager* val_mgr;
 
 class MutableVal : public Val {
-public:
-	// Each MutableVal gets a globally unique ID that can be used to
-	// reference it no matter if it's directly bound to any user-visible
-	// ID. This ID is inserted into the global namespace.
-	ID* UniqueID() const	{ return id ? id : Bind(); }
-
-	// Returns true if we've already generated a unique ID.
-	bool HasUniqueID() const	{ return id; }
-
-	// Transfers the unique ID of the given value to this value. We keep our
-	// old ID as an alias.
-	void TransferUniqueID(MutableVal* mv);
-
-	// MutableVals can have properties (let's refrain from calling them
-	// attributes!).  Most properties are recursive.  If a derived object
-	// can contain MutableVals itself, the object has to override
-	// {Add,Remove}Properties(). RecursiveProp(state) masks out all non-
-	// recursive properties. If this is non-null, an overriden method must
-	// call itself with RecursiveProp(state) as argument for all contained
-	// values.  (In any case, don't forget to call the parent's method.)
-	typedef char Properties;
-
-	// Tracked by NotifierRegistry, not recursive.
-	static const int TRACKED = 0x04;
-
-	int RecursiveProps(int prop) const	{ return prop & ~TRACKED; }
-
-	Properties GetProperties() const	{ return props; }
-	virtual bool AddProperties(Properties state);
-	virtual bool RemoveProperties(Properties state);
-
 protected:
-	explicit MutableVal(BroType* t) : Val(t)
-		{ props = 0; id = 0; }
-	MutableVal()	{ props = 0; id = 0; }
+	explicit MutableVal(BroType* t) : Val(t)	{}
+
+	MutableVal()	{}
 	~MutableVal() override;
 
-	friend class ID;
-	friend class Val;
-
-	void SetID(ID* arg_id)	{ Unref(id); id = arg_id; }
 	void Modified()	{ notifiers.Modified(this); }
-
-private:
-	ID* Bind() const;
-
-	mutable ID* id;
-	list<ID*> aliases;
-	Properties props;
-	uint64 last_modified;
 };
 
 #define Microseconds 1e-6
@@ -771,7 +714,7 @@ public:
 		{
 		val = v;
 		last_access_time = network_time;
-		expire_access_time = last_read_update =
+		expire_access_time =
 			int(network_time - bro_start_network_time);
 		}
 
@@ -780,7 +723,6 @@ public:
 		auto rval = new TableEntryVal(val ? val->Clone() : nullptr);
 		rval->last_access_time = last_access_time;
 		rval->expire_access_time = expire_access_time;
-		rval->last_read_update = last_read_update;
 		return rval;
 		}
 
@@ -796,24 +738,16 @@ public:
 	void SetExpireAccess(double time)
 		{ expire_access_time = int(time - bro_start_network_time); }
 
-	// Returns/sets time of when we propagated the last OP_READ_IDX
-	// for this item.
-	double LastReadUpdate() const
-		{ return bro_start_network_time + last_read_update; }
-	void SetLastReadUpdate(double time)
-		{ last_read_update = int(time - bro_start_network_time); }
-
 protected:
 	friend class TableVal;
 
 	Val* val;
 	double last_access_time;
 
-	// The next two entries store seconds since Bro's start.  We use
-	// ints here to save a few bytes, as we do not need a high resolution
-	// for these anyway.
+	// The next entry stores seconds since Bro's start.  We use ints here
+	// to save a few bytes, as we do not need a high resolution for these
+	// anyway.
 	int expire_access_time;
-	int last_read_update;
 };
 
 class TableValTimer : public Timer {
@@ -953,9 +887,6 @@ protected:
 	int ExpandCompoundAndInit(val_list* vl, int k, Val* new_val);
 	int CheckAndAssign(Val* index, Val* new_val);
 
-	bool AddProperties(Properties arg_state) override;
-	bool RemoveProperties(Properties arg_state) override;
-
 	// Calculates default value for index.  Returns 0 if none.
 	Val* Default(Val* index);
 
@@ -971,9 +902,6 @@ protected:
 	// takes ownership of the reference.
 	double CallExpireFunc(Val *idx);
 
-	// Propagates a read operation if necessary.
-	void ReadOperation(Val* index, TableEntryVal *v);
-
 	Val* DoClone(CloneState* state) override;
 
 	TableType* table_type;
@@ -1043,9 +971,6 @@ protected:
 	friend class Val;
 	RecordVal()	{}
 
-	bool AddProperties(Properties arg_state) override;
-	bool RemoveProperties(Properties arg_state) override;
-
 	Val* DoClone(CloneState* state) override;
 
 	RecordType* record_type;
@@ -1133,8 +1058,6 @@ protected:
 	friend class Val;
 	VectorVal()	{ }
 
-	bool AddProperties(Properties arg_state) override;
-	bool RemoveProperties(Properties arg_state) override;
 	void ValDescribe(ODesc* d) const override;
 	Val* DoClone(CloneState* state) override;
 

From 062a1ee6b37b7686b7eea7c455901797316a937d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 23:13:43 +0000
Subject: [PATCH 43/91] Redo API for notifiers.

There's now an notifier::Modifiable interface class that class
supposed to signal modifications are to be derived from. This takes
the place of the former MutableValue class and also unifies how Val
and IDs signal modifications.
---
 src/ID.cc          |   2 +-
 src/ID.h           |   2 +-
 src/StateAccess.cc |  99 +++++++++--------------------------
 src/StateAccess.h  | 125 ++++++++++++++++++++++++++-------------------
 src/Trigger.cc     |  30 ++++-------
 src/Trigger.h      |   9 ++--
 src/Val.cc         |   6 +--
 src/Val.h          |  16 ++++--
 8 files changed, 126 insertions(+), 163 deletions(-)

diff --git a/src/ID.cc b/src/ID.cc
index 582c8fcf8e..894de949a5 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -66,7 +66,7 @@ void ID::SetVal(Val* v, bool arg_weak_ref)
 
 	val = v;
 	weak_ref = arg_weak_ref;
-	notifiers.Modified(this);
+	Modified();
 
 #ifdef DEBUG
 	UpdateValID();
diff --git a/src/ID.h b/src/ID.h
index 7717a584f3..a1cbe494d3 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -15,7 +15,7 @@ class Func;
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
 typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
 
-class ID : public BroObj {
+class ID : public BroObj, public notifier::Modifiable {
 public:
 	ID(const char* name, IDScope arg_scope, bool arg_is_export);
 	~ID() override;
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 853a8a7879..7d7c397981 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -4,110 +4,57 @@
 #include "NetVar.h"
 #include "DebugLogger.h"
 
-NotifierRegistry notifiers;
+notifier::Registry notifier::registry;
 
-NotifierRegistry::~NotifierRegistry()
+notifier::Registry::~Registry()
 	{
-	for ( auto i : ids )
-		Unref(i.first);
-
-	for ( auto i : vals )
-		Unref(i.first);
+	for ( auto i : registrations )
+		Unregister(i.first);
 	}
 
-void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
+void notifier::Registry::Register(Modifiable* m, notifier::Notifier* notifier)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "registering ID %s for notifier %s",
-		id->Name(), notifier->Name());
+	DBG_LOG(DBG_NOTIFIERS, "registering modifiable %p for notifier %s",
+		m, notifier->Name());
 
-	Attr* attr = new Attr(ATTR_TRACKED);
-
-	if ( id->Attrs() )
-		{
-		if ( ! id->Attrs()->FindAttr(ATTR_TRACKED) )
-			id->Attrs()->AddAttr(attr);
-		}
-	else
-		{
-		attr_list* a = new attr_list{attr};
-		id->SetAttrs(new Attributes(a, id->Type(), false));
-		}
-
-	Unref(attr);
-
-	ids.insert({id, notifier});
-	Ref(id);
+	registrations.insert({m, notifier});
+	++m->notifiers;
 	}
 
-void NotifierRegistry::Register(Val* val, NotifierRegistry::Notifier* notifier)
+void notifier::Registry::Unregister(Modifiable* m, notifier::Notifier* notifier)
 	{
-	if ( ! val->IsMutableVal() )
-		return;
+	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from notifier %s",
+		m, notifier->Name());
 
-	DBG_LOG(DBG_NOTIFIERS, "registering value %p for notifier %s",
-		val, notifier->Name());
-
-	vals.insert({val, notifier});
-	Ref(val);
-	}
-
-void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
-	{
-	DBG_LOG(DBG_NOTIFIERS, "unregistering ID %s for notifier %s",
-		id->Name(), notifier->Name());
-
-	auto x = ids.equal_range(id);
+	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
 		{
 		if ( i->second == notifier )
 			{
-			ids.erase(i);
-			Unref(id);
-			break;
-			}
-		}
-
-	if ( ids.find(id) == ids.end() )
-		// Last registered notifier for this ID
-		id->Attrs()->RemoveAttr(ATTR_TRACKED);
-	}
-
-void NotifierRegistry::Unregister(Val* val, NotifierRegistry::Notifier* notifier)
-	{
-	DBG_LOG(DBG_NOTIFIERS, "unregistering Val %p for notifier %s",
-		val, notifier->Name());
-
-	auto x = vals.equal_range(val);
-	for ( auto i = x.first; i != x.second; i++ )
-		{
-		if ( i->second == notifier )
-			{
-			vals.erase(i);
-			Unref(val);
+			registrations.erase(i);
+			--i->first->notifiers;
 			break;
 			}
 		}
 	}
 
-void NotifierRegistry::Modified(Val *val)
+void notifier::Registry::Unregister(Modifiable* m)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "modification to tracked value %p", val);
-
-	auto x = vals.equal_range(val);
+	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
-		i->second->Modified(val);
+		Unregister(m, i->second);
 	}
 
-void NotifierRegistry::Modified(ID *id)
+void notifier::Registry::Modified(Modifiable* m)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "modification to tracked ID %s", id->Name());
+	DBG_LOG(DBG_NOTIFIERS, "modification to modifiable %p", m);
 
-	auto x = ids.equal_range(id);
+	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
-		i->second->Modified(id);
+		i->second->Modified(m);
 	}
 
-const char* NotifierRegistry::Notifier::Name() const
+const char* notifier::Notifier::Name() const
 	{
 	return fmt("%p", this);
 	}
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 528e3357d5..91a7fa6186 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -1,4 +1,14 @@
 // A class describing a state-modyfing access to a Value or an ID.
+//
+// TODO UPDATE: We provide a notifier framework to inform interested parties
+// of modifications to selected global IDs/Vals. To get notified about a
+// change, derive a class from Notifier and register the interesting
+// instances with the NotifierRegistry.
+//
+// Note: For containers (e.g., tables), notifications are only issued if the
+// container itself is modified, *not* for changes to the values contained
+// therein.
+
 
 #ifndef STATEACESSS_H
 #define STATEACESSS_H
@@ -7,63 +17,74 @@
 #include <unordered_map>
 #include <string>
 
-class Val;
-class ID;
-class MutableVal;
-class HashKey;
-class ODesc;
-class TableVal;
+#include "util.h"
 
-// We provide a notifier framework to inform interested parties of
-// modifications to selected global IDs/Vals. To get notified about a change,
-// derive a class from Notifier and register the interesting IDs/Vals with
-// the NotifierRegistry.
-//
-// Note: For containers (e.g., tables), notifications are only issued if the
-// container itself is modified, *not* for changes to the values contained
-// therein.
+namespace notifier  {
 
-class NotifierRegistry {
+class Modifiable;
+
+class Notifier {
 public:
-	class Notifier {
-	public:
-		virtual ~Notifier()	{ }
+	virtual ~Notifier()	{ }
 
-		// Called when a change is being performed. Note that when
-		// these methods are called, it is undefined whether the
-		// change has already been done or is just going to be
-		// performed soon.
-		virtual void Modified(ID* id) = 0;
-		virtual void Modified(Val* val) = 0;
-		virtual const char* Name() const;	// for debugging
-	};
-
-	NotifierRegistry()	{ }
-	~NotifierRegistry();
-
-	// Register a new notifier to be informed when ID/Val changes. Note
-	// that the registry will store a reference to the target, keeping
-	// the instance alive for as long as it's registered.
-	void Register(ID* id, Notifier* notifier);
-	void Register(Val* val, Notifier* notifier);
-
-	// Cancel a notifier's tracking for this ID/Val, also releasing the
-	// referencee being held.
-	void Unregister(ID* id, Notifier* notifier);
-	void Unregister(Val* val, Notifier* notifier);
-
-	// Inform all registered notifiiers of a modification to a value/ID.
-	void Modified(ID *id);
-	void Modified(Val *val);
-
-private:
-	typedef std::unordered_multimap<Val*, Notifier*> ValMap;
-	typedef std::unordered_multimap<ID*, Notifier*> IDMap;
-
-	ValMap vals;
-	IDMap ids;
+	// Called afger a change has been performed.
+	virtual void Modified(Modifiable* m) = 0;
+	virtual const char* Name() const;	// for debugging
 };
 
-extern NotifierRegistry notifiers;
+// Singleton class.
+class Registry {
+public:
+	Registry()	{ }
+	~Registry();
+
+	// Register a new notifier to be informed when an instance changes.
+	void Register(Modifiable* m, Notifier* notifier);
+
+	// Cancel a notifier's tracking an instace.
+	void Unregister(Modifiable* m, Notifier* notifier);
+
+	// Cancel all notifiers registered for an instance.
+	void Unregister(Modifiable* m);
+
+private:
+	friend class Modifiable;
+
+	// Inform all registered notifiers of a modification to an instance.
+	void Modified(Modifiable* m);
+
+	typedef std::unordered_multimap<Modifiable*, Notifier*> ModifiableMap;
+	ModifiableMap registrations;
+};
+
+
+class Registry;
+extern Registry registry;
+
+// Base class for objects wanting to signal modifications to the registry.
+class Modifiable {
+protected:
+	friend class Registry;
+
+	Modifiable()	{}
+	~Modifiable()
+		{
+		if ( notifiers )
+			registry.Unregister(this);
+
+		};
+
+	void Modified()
+		{
+		if ( notifiers )
+			registry.Modified(this);
+		}
+
+	// Number of currently registered notifiers for this instance.
+	uint64 notifiers;
+};
+
+}
+
 
 #endif
diff --git a/src/Trigger.cc b/src/Trigger.cc
index 213707b6b8..c1295b8218 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -33,7 +33,7 @@ TraversalCode TriggerTraversalCallback::PreExpr(const Expr* expr)
 			trigger->Register(e->Id());
 
 		Val* v = e->Id()->ID_Val();
-		if ( v && v->IsMutableVal() )
+		if ( v && v->Modifiable() )
 			trigger->Register(v);
 		break;
 		};
@@ -382,38 +382,30 @@ void Trigger::Timeout()
 void Trigger::Register(ID* id)
 	{
 	assert(! disabled);
-	notifiers.Register(id, this);
+	notifier::registry.Register(id, this);
 
 	Ref(id);
-	ids.insert(id);
+	objs.push_back(id);
 	}
 
 void Trigger::Register(Val* val)
 	{
+	if ( ! val->Modifiable() )
+		return;
+
 	assert(! disabled);
-	notifiers.Register(val, this);
+	notifier::registry.Register(val->Modifiable(), this);
 
 	Ref(val);
-	vals.insert(val);
+	objs.push_back(val);
 	}
 
 void Trigger::UnregisterAll()
 	{
-	loop_over_list(ids, i)
-		{
-		notifiers.Unregister(ids[i], this);
-		Unref(ids[i]);
-		}
+	for ( auto o : objs )
+		Unref(o); // this will unregister with the registry as well
 
-	ids.clear();
-
-	loop_over_list(vals, j)
-		{
-		notifiers.Unregister(vals[j], this);
-		Unref(vals[j]);
-		}
-
-	vals.clear();
+	objs.clear();
 	}
 
 void Trigger::Attach(Trigger *trigger)
diff --git a/src/Trigger.h b/src/Trigger.h
index 8dc478e049..fe7d425a72 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -13,7 +13,7 @@
 class TriggerTimer;
 class TriggerTraversalCallback;
 
-class Trigger : public NotifierRegistry::Notifier, public BroObj {
+class Trigger : public notifier::Notifier, public BroObj {
 public:
 	// Don't access Trigger objects; they take care of themselves after
 	// instantiation.  Note that if the condition is already true, the
@@ -61,9 +61,7 @@ public:
 		{ d->Add("<trigger>"); }
 	// Overidden from Notifier.  We queue the trigger and evaluate it
 	// later to avoid race conditions.
-	void Modified(ID* id) override
-		{ QueueTrigger(this); }
-	void Modified(Val* val) override
+	void Modified(notifier::Modifiable* m) override
 		{ QueueTrigger(this); }
 
 	const char* Name() const override;
@@ -104,8 +102,7 @@ private:
 	bool delayed; // true if a function call is currently being delayed
 	bool disabled;
 
-	val_list vals;
-	id_list ids;
+	std::vector<BroObj *> objs;
 
 	typedef map<const CallExpr*, Val*> ValCache;
 	ValCache cache;
diff --git a/src/Val.cc b/src/Val.cc
index 4ba2ea6dd7..bea9ce4038 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -899,7 +899,7 @@ static void table_entry_val_delete_func(void* val)
 	delete tv;
 	}
 
-TableVal::TableVal(TableType* t, Attributes* a) : MutableVal(t)
+TableVal::TableVal(TableType* t, Attributes* a) : Val(t)
 	{
 	Init(t);
 	SetAttrs(a);
@@ -1982,7 +1982,7 @@ unsigned int TableVal::MemoryAllocation() const
 
 vector<RecordVal*> RecordVal::parse_time_records;
 
-RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
+RecordVal::RecordVal(RecordType* t, bool init_fields) : Val(t)
 	{
 	origin = 0;
 	record_type = t;
@@ -2287,7 +2287,7 @@ Val* EnumVal::DoClone(CloneState* state)
 	return Ref();
 	}
 
-VectorVal::VectorVal(VectorType* t) : MutableVal(t)
+VectorVal::VectorVal(VectorType* t) : Val(t)
 	{
 	vector_type = t->Ref()->AsVectorType();
 	val.vector_val = new vector<Val*>();
diff --git a/src/Val.h b/src/Val.h
index 48f456fa17..d98c352f6d 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -328,6 +328,8 @@ public:
 	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d) const;
 
+	virtual notifier::Modifiable* Modifiable()	{ return 0; }
+
 #ifdef DEBUG
 	// For debugging, we keep a reference to the global ID to which a
 	// value has been bound *last*.
@@ -490,8 +492,6 @@ protected:
 
 	MutableVal()	{}
 	~MutableVal() override;
-
-	void Modified()	{ notifiers.Modified(this); }
 };
 
 #define Microseconds 1e-6
@@ -764,7 +764,7 @@ protected:
 };
 
 class CompositeHash;
-class TableVal : public MutableVal {
+class TableVal : public Val, public notifier::Modifiable {
 public:
 	explicit TableVal(TableType* t, Attributes* attrs = 0);
 	~TableVal() override;
@@ -877,6 +877,8 @@ public:
 	HashKey* ComputeHash(const Val* index) const
 		{ return table_hash->ComputeHash(index, 1); }
 
+	notifier::Modifiable* Modifiable() override	{ return this; }
+
 protected:
 	friend class Val;
 	TableVal()	{}
@@ -915,7 +917,7 @@ protected:
 	Val* def_val;
 };
 
-class RecordVal : public MutableVal {
+class RecordVal : public Val, public notifier::Modifiable {
 public:
 	explicit RecordVal(RecordType* t, bool init_fields = true);
 	~RecordVal() override;
@@ -962,6 +964,8 @@ public:
 	unsigned int MemoryAllocation() const override;
 	void DescribeReST(ODesc* d) const override;
 
+	notifier::Modifiable* Modifiable() override	{ return this; }
+
 	// Extend the underlying arrays of record instances created during
 	// parsing to match the number of fields in the record type (they may
 	// mismatch as a result of parse-time record type redefinitions.
@@ -1006,7 +1010,7 @@ protected:
 };
 
 
-class VectorVal : public MutableVal {
+class VectorVal : public Val, public notifier::Modifiable {
 public:
 	explicit VectorVal(VectorType* t);
 	~VectorVal() override;
@@ -1054,6 +1058,8 @@ public:
 	// Won't shrink size.
 	unsigned int ResizeAtLeast(unsigned int new_num_elements);
 
+	notifier::Modifiable* Modifiable() override	{ return this; }
+
 protected:
 	friend class Val;
 	VectorVal()	{ }

From 7bd738865cdab1d5983a96a16f5d199166cb3fcb Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 6 Jun 2019 23:48:31 +0000
Subject: [PATCH 44/91] Remove MutableVal class.

---
 src/ID.h                           |  4 ----
 src/StateAccess.cc                 | 23 ++++++++++++++---------
 src/StateAccess.h                  | 21 ++++++++++++---------
 src/Stats.cc                       |  2 +-
 src/Trigger.cc                     | 11 ++++++++---
 src/Trigger.h                      |  4 ++--
 src/Type.h                         |  4 ----
 src/Val.cc                         |  4 ----
 src/Val.h                          | 14 --------------
 src/bro.bif                        |  5 +----
 src/input/readers/config/Config.cc |  2 +-
 11 files changed, 39 insertions(+), 55 deletions(-)

diff --git a/src/ID.h b/src/ID.h
index a1cbe494d3..9c9a842c39 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -70,10 +70,6 @@ public:
 
 	bool IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
 
-	// Returns true if ID is one of those internal globally unique IDs
-	// to which MutableVals are bound (there name start with a '#').
-	bool IsInternalGlobal() const	{ return name && name[0] == '#'; }
-
 	void SetAttrs(Attributes* attr);
 	void AddAttrs(Attributes* attr);
 	void RemoveAttr(attr_tag a);
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index 7d7c397981..b580215271 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -14,8 +14,8 @@ notifier::Registry::~Registry()
 
 void notifier::Registry::Register(Modifiable* m, notifier::Notifier* notifier)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "registering modifiable %p for notifier %s",
-		m, notifier->Name());
+	DBG_LOG(DBG_NOTIFIERS, "registering modifiable %p for notifier %p",
+		m, notifier);
 
 	registrations.insert({m, notifier});
 	++m->notifiers;
@@ -23,16 +23,16 @@ void notifier::Registry::Register(Modifiable* m, notifier::Notifier* notifier)
 
 void notifier::Registry::Unregister(Modifiable* m, notifier::Notifier* notifier)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from notifier %s",
-		m, notifier->Name());
+	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from notifier %p",
+		m, notifier);
 
 	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
 		{
 		if ( i->second == notifier )
 			{
-			registrations.erase(i);
 			--i->first->notifiers;
+			registrations.erase(i);
 			break;
 			}
 		}
@@ -40,9 +40,14 @@ void notifier::Registry::Unregister(Modifiable* m, notifier::Notifier* notifier)
 
 void notifier::Registry::Unregister(Modifiable* m)
 	{
+	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from all notifiers",
+		m);
+
 	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
-		Unregister(m, i->second);
+		--i->first->notifiers;
+
+	registrations.erase(x.first, x.second);
 	}
 
 void notifier::Registry::Modified(Modifiable* m)
@@ -54,8 +59,8 @@ void notifier::Registry::Modified(Modifiable* m)
 		i->second->Modified(m);
 	}
 
-const char* notifier::Notifier::Name() const
+notifier::Modifiable::~Modifiable()
 	{
-	return fmt("%p", this);
+	if ( notifiers )
+		registry.Unregister(this);
 	}
-
diff --git a/src/StateAccess.h b/src/StateAccess.h
index 91a7fa6186..b769e320c0 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -18,6 +18,7 @@
 #include <string>
 
 #include "util.h"
+#include "DebugLogger.h"
 
 namespace notifier  {
 
@@ -25,11 +26,18 @@ class Modifiable;
 
 class Notifier {
 public:
-	virtual ~Notifier()	{ }
+	Notifier()
+		{
+		DBG_LOG(DBG_NOTIFIERS, "creating notifier %p", this);
+		}
 
-	// Called afger a change has been performed.
+	virtual ~Notifier()
+		{
+		DBG_LOG(DBG_NOTIFIERS, "destroying notifier %p", this);
+		}
+
+	// Called after a change has been performed.
 	virtual void Modified(Modifiable* m) = 0;
-	virtual const char* Name() const;	// for debugging
 };
 
 // Singleton class.
@@ -67,12 +75,7 @@ protected:
 	friend class Registry;
 
 	Modifiable()	{}
-	~Modifiable()
-		{
-		if ( notifiers )
-			registry.Unregister(this);
-
-		};
+	virtual ~Modifiable();
 
 	void Modified()
 		{
diff --git a/src/Stats.cc b/src/Stats.cc
index 1d2a2c8ad8..9489f12f93 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -255,7 +255,7 @@ void ProfileLogger::Log()
 		while ( (id = globals->NextEntry(c)) )
 			// We don't show/count internal globals as they are always
 			// contained in some other global user-visible container.
-			if ( id->HasVal() && ! id->IsInternalGlobal() )
+			if ( id->HasVal() )
 				{
 				Val* v = id->ID_Val();
 
diff --git a/src/Trigger.cc b/src/Trigger.cc
index c1295b8218..8de5dff5bd 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -385,7 +385,7 @@ void Trigger::Register(ID* id)
 	notifier::registry.Register(id, this);
 
 	Ref(id);
-	objs.push_back(id);
+	objs.push_back({id, id});
 	}
 
 void Trigger::Register(Val* val)
@@ -397,13 +397,18 @@ void Trigger::Register(Val* val)
 	notifier::registry.Register(val->Modifiable(), this);
 
 	Ref(val);
-	objs.push_back(val);
+	objs.emplace_back(val, val->Modifiable());
 	}
 
 void Trigger::UnregisterAll()
 	{
+	DBG_LOG(DBG_NOTIFIERS, "%s: unregistering all", Name());
+
 	for ( auto o : objs )
-		Unref(o); // this will unregister with the registry as well
+		{
+		notifier::registry.Unregister(o.second, this);
+		Unref(o.first);
+		}
 
 	objs.clear();
 	}
diff --git a/src/Trigger.h b/src/Trigger.h
index fe7d425a72..3004d30732 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -64,7 +64,7 @@ public:
 	void Modified(notifier::Modifiable* m) override
 		{ QueueTrigger(this); }
 
-	const char* Name() const override;
+	const char* Name() const;
 
 	static void QueueTrigger(Trigger* trigger);
 
@@ -102,7 +102,7 @@ private:
 	bool delayed; // true if a function call is currently being delayed
 	bool disabled;
 
-	std::vector<BroObj *> objs;
+	std::vector<std::pair<BroObj *, notifier::Modifiable*>> objs;
 
 	typedef map<const CallExpr*, Val*> ValCache;
 	ValCache cache;
diff --git a/src/Type.h b/src/Type.h
index a97f7360c8..bc8d673443 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -693,10 +693,6 @@ bool is_atomic_type(const BroType* t);
 // True if the given type tag corresponds to a function type.
 #define IsFunc(t)	(t == TYPE_FUNC)
 
-// True if the given type tag corresponds to mutable type.
-#define IsMutable(t)	\
-	(t == TYPE_RECORD || t == TYPE_TABLE || t == TYPE_VECTOR)
-
 // True if the given type type is a vector.
 #define IsVector(t)	(t == TYPE_VECTOR)
 
diff --git a/src/Val.cc b/src/Val.cc
index bea9ce4038..0d6f5838ca 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -349,10 +349,6 @@ void Val::ValDescribeReST(ODesc* d) const
 	}
 	}
 
-MutableVal::~MutableVal()
-	{
-	}
-
 IntervalVal::IntervalVal(double quantity, double units) :
 	Val(quantity * units, TYPE_INTERVAL)
 	{
diff --git a/src/Val.h b/src/Val.h
index d98c352f6d..48bbd50cfc 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -49,7 +49,6 @@ class RecordVal;
 class ListVal;
 class StringVal;
 class EnumVal;
-class MutableVal;
 
 class VectorVal;
 
@@ -320,11 +319,6 @@ public:
 	CONST_CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
 	CONST_CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
 
-	bool IsMutableVal() const
-		{
-		return IsMutable(type->Tag());
-		}
-
 	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d) const;
 
@@ -486,14 +480,6 @@ private:
 
 extern ValManager* val_mgr;
 
-class MutableVal : public Val {
-protected:
-	explicit MutableVal(BroType* t) : Val(t)	{}
-
-	MutableVal()	{}
-	~MutableVal() override;
-};
-
 #define Microseconds 1e-6
 #define Milliseconds 1e-3
 #define Seconds 1.0
diff --git a/src/bro.bif b/src/bro.bif
index 47b713e4e1..e143cf16e8 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1819,7 +1819,7 @@ function global_sizes%(%): var_sizes
 
 	ID* id;
 	while ( (id = globals->NextEntry(c)) )
-		if ( id->HasVal() && ! id->IsInternalGlobal() )
+		if ( id->HasVal() )
 			{
 			Val* id_name = new StringVal(id->Name());
 			Val* id_size = val_mgr->GetCount(id->ID_Val()->MemoryAllocation());
@@ -1847,9 +1847,6 @@ function global_ids%(%): id_table
 	ID* id;
 	while ( (id = globals->NextEntry(c)) )
 		{
-		if ( id->IsInternalGlobal() )
-			continue;
-
 		RecordVal* rec = new RecordVal(script_id);
 		rec->Assign(0, new StringVal(type_name(id->Type()->Tag())));
 		rec->Assign(1, val_mgr->GetBool(id->IsExport()));
diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc
index eca276281c..7c1708babd 100644
--- a/src/input/readers/config/Config.cc
+++ b/src/input/readers/config/Config.cc
@@ -33,7 +33,7 @@ Config::Config(ReaderFrontend *frontend) : ReaderBackend(frontend)
 
 	while ( auto id = globals->NextEntry(c) )
 		{
-		if ( id->IsInternalGlobal() || ! id->IsOption() )
+		if ( ! id->IsOption() )
 			continue;
 
 		if ( id->Type()->Tag() == TYPE_RECORD ||

From 6adab8d46a98db691fbc1ed3ae4933d519183b1e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 7 Jun 2019 23:38:25 +0000
Subject: [PATCH 45/91] Clean up new code.

---
 src/StateAccess.cc |  42 +++++++++--------
 src/StateAccess.h  | 109 +++++++++++++++++++++++++++------------------
 src/Trigger.cc     |   2 +-
 src/Trigger.h      |   2 +-
 src/Val.h          |   2 +
 5 files changed, 94 insertions(+), 63 deletions(-)

diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index b580215271..dcf5ef8b21 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -1,37 +1,44 @@
-#include "Val.h"
+// See the file "COPYING" in the main distribution directory for copyright.
+
 #include "StateAccess.h"
-#include "Event.h"
-#include "NetVar.h"
 #include "DebugLogger.h"
 
 notifier::Registry notifier::registry;
 
+notifier::Receiver::Receiver()
+	{
+	DBG_LOG(DBG_NOTIFIERS, "creating receiver %p", this);
+	}
+
+notifier::Receiver::~Receiver()
+	{
+	DBG_LOG(DBG_NOTIFIERS, "deleting receiver %p", this);
+	}
+
 notifier::Registry::~Registry()
 	{
 	for ( auto i : registrations )
 		Unregister(i.first);
 	}
 
-void notifier::Registry::Register(Modifiable* m, notifier::Notifier* notifier)
+void notifier::Registry::Register(Modifiable* m, notifier::Receiver* r)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "registering modifiable %p for notifier %p",
-		m, notifier);
+	DBG_LOG(DBG_NOTIFIERS, "registering object %p for receiver %p", m, r);
 
-	registrations.insert({m, notifier});
-	++m->notifiers;
+	registrations.insert({m, r});
+	++m->num_receivers;
 	}
 
-void notifier::Registry::Unregister(Modifiable* m, notifier::Notifier* notifier)
+void notifier::Registry::Unregister(Modifiable* m, notifier::Receiver* r)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from notifier %p",
-		m, notifier);
+	DBG_LOG(DBG_NOTIFIERS, "unregistering object %p from receiver %p", m, r);
 
 	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
 		{
-		if ( i->second == notifier )
+		if ( i->second == r )
 			{
-			--i->first->notifiers;
+			--i->first->num_receivers;
 			registrations.erase(i);
 			break;
 			}
@@ -40,19 +47,18 @@ void notifier::Registry::Unregister(Modifiable* m, notifier::Notifier* notifier)
 
 void notifier::Registry::Unregister(Modifiable* m)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "unregistering modifiable %p from all notifiers",
-		m);
+	DBG_LOG(DBG_NOTIFIERS, "unregistering object %p from all notifiers", m);
 
 	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
-		--i->first->notifiers;
+		--i->first->num_receivers;
 
 	registrations.erase(x.first, x.second);
 	}
 
 void notifier::Registry::Modified(Modifiable* m)
 	{
-	DBG_LOG(DBG_NOTIFIERS, "modification to modifiable %p", m);
+	DBG_LOG(DBG_NOTIFIERS, "object %p has been modified", m);
 
 	auto x = registrations.equal_range(m);
 	for ( auto i = x.first; i != x.second; i++ )
@@ -61,6 +67,6 @@ void notifier::Registry::Modified(Modifiable* m)
 
 notifier::Modifiable::~Modifiable()
 	{
-	if ( notifiers )
+	if ( num_receivers )
 		registry.Unregister(this);
 	}
diff --git a/src/StateAccess.h b/src/StateAccess.h
index b769e320c0..2361801ec4 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -1,14 +1,9 @@
-// A class describing a state-modyfing access to a Value or an ID.
+// See the file "COPYING" in the main distribution directory for copyright.
 //
-// TODO UPDATE: We provide a notifier framework to inform interested parties
-// of modifications to selected global IDs/Vals. To get notified about a
-// change, derive a class from Notifier and register the interesting
-// instances with the NotifierRegistry.
-//
-// Note: For containers (e.g., tables), notifications are only issued if the
-// container itself is modified, *not* for changes to the values contained
-// therein.
-
+// A notification framework to inform interested parties of modifications to
+// selected global objects. To get notified about a change, derive a class
+// from notifier::Receiver and register the interesting objects with the
+// notification::Registry.
 
 #ifndef STATEACESSS_H
 #define STATEACESSS_H
@@ -24,70 +19,98 @@ namespace notifier  {
 
 class Modifiable;
 
-class Notifier {
+/** Interface class for receivers of notifications. */
+class Receiver {
 public:
-	Notifier()
-		{
-		DBG_LOG(DBG_NOTIFIERS, "creating notifier %p", this);
-		}
+	Receiver();
+	virtual ~Receiver();
 
-	virtual ~Notifier()
-		{
-		DBG_LOG(DBG_NOTIFIERS, "destroying notifier %p", this);
-		}
-
-	// Called after a change has been performed.
+	/**
+	 * Callback executed when a register object has been modified.
+	 *
+	 * @param m object that was modified
+	 */
 	virtual void Modified(Modifiable* m) = 0;
 };
 
-// Singleton class.
+/** Singleton class tracking all notification requests globally. */
 class Registry {
 public:
-	Registry()	{ }
 	~Registry();
 
-	// Register a new notifier to be informed when an instance changes.
-	void Register(Modifiable* m, Notifier* notifier);
+	/**
+	 * Registers a receiver to be informed when a modifiable object has
+	 * changed.
+	 *
+	 * @param m object to track. Does not take ownership, but the object
+	 * will automatically unregister itself on destruction.
+	 *
+	 * @param r receiver to notify on changes. Does not take ownershop,
+	 * the receiver must remain valid as long as the registration stays
+	 * in place.
+	 */
+	void Register(Modifiable* m, Receiver* r);
 
-	// Cancel a notifier's tracking an instace.
-	void Unregister(Modifiable* m, Notifier* notifier);
+	/**
+	 * Cancels a receiver's request to be informed about an object's
+	 * modification. The arguments to the method must match what was
+	 * originally registered.
+	 *
+	 * @param m object to no loger track.
+	 *
+	 * @param r receiver to no longer notify.
+	 */
+	void Unregister(Modifiable* m, Receiver* Receiver);
 
-	// Cancel all notifiers registered for an instance.
+	/**
+	 * Cancels any active receiver requests to be informed about a
+	 * partilar object's modifications.
+	 *
+	 * @param m object to no loger track.
+	 */
 	void Unregister(Modifiable* m);
 
 private:
 	friend class Modifiable;
 
-	// Inform all registered notifiers of a modification to an instance.
+	// Inform all registered receivers of a modification to an object.
+	// Will be called from the object itself.
 	void Modified(Modifiable* m);
 
-	typedef std::unordered_multimap<Modifiable*, Notifier*> ModifiableMap;
+	typedef std::unordered_multimap<Modifiable*, Receiver*> ModifiableMap;
 	ModifiableMap registrations;
 };
 
-
-class Registry;
+/**
+ * Singleton object tracking all global notification requests.
+ */
 extern Registry registry;
 
-// Base class for objects wanting to signal modifications to the registry.
+/**
+ * Base class for objects that can trigger notifications to receivers when
+ * modified.
+ */
 class Modifiable {
-protected:
-	friend class Registry;
-
-	Modifiable()	{}
-	virtual ~Modifiable();
-
+public:
+	/**
+	 * Calling this method signals to all registered receivers that the
+	 * object has been modified.
+	 */
 	void Modified()
 		{
-		if ( notifiers )
+		if ( num_receivers )
 			registry.Modified(this);
 		}
 
-	// Number of currently registered notifiers for this instance.
-	uint64 notifiers;
+protected:
+	friend class Registry;
+
+	virtual ~Modifiable();
+
+	// Number of currently registered receivers.
+	uint64 num_receivers;
 };
 
 }
 
-
 #endif
diff --git a/src/Trigger.cc b/src/Trigger.cc
index 8de5dff5bd..ae6483e3f5 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -404,7 +404,7 @@ void Trigger::UnregisterAll()
 	{
 	DBG_LOG(DBG_NOTIFIERS, "%s: unregistering all", Name());
 
-	for ( auto o : objs )
+	for ( const auto& o : objs )
 		{
 		notifier::registry.Unregister(o.second, this);
 		Unref(o.first);
diff --git a/src/Trigger.h b/src/Trigger.h
index 3004d30732..0de5499045 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -13,7 +13,7 @@
 class TriggerTimer;
 class TriggerTraversalCallback;
 
-class Trigger : public notifier::Notifier, public BroObj {
+class Trigger : public BroObj, public notifier::Receiver {
 public:
 	// Don't access Trigger objects; they take care of themselves after
 	// instantiation.  Note that if the condition is already true, the
diff --git a/src/Val.h b/src/Val.h
index 48bbd50cfc..8eb33d1f0e 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -322,6 +322,8 @@ public:
 	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d) const;
 
+	// To be overridden by mutable derived class to enable change
+	// notification.
 	virtual notifier::Modifiable* Modifiable()	{ return 0; }
 
 #ifdef DEBUG

From 32f30b5c716ccab9cd8a0d9eac6e8a63b473ad14 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Sat, 8 Jun 2019 00:27:23 +0000
Subject: [PATCH 46/91] Renaming src/StateAccess.{h,cc} to src/Notifier.{h,cc}.

The old names did not reflect the content of the files anymore.
---
 src/CMakeLists.txt                  | 2 +-
 src/ID.h                            | 2 +-
 src/{StateAccess.cc => Notifier.cc} | 2 +-
 src/{StateAccess.h => Notifier.h}   | 4 ++--
 src/Trigger.h                       | 2 +-
 src/Val.h                           | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)
 rename src/{StateAccess.cc => Notifier.cc} (98%)
 rename src/{StateAccess.h => Notifier.h} (98%)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 1afa5193cc..6620779de8 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -302,7 +302,7 @@ set(bro_SRCS
     Scope.cc
     SerializationFormat.cc
     Sessions.cc
-    StateAccess.cc
+    Notifier.cc
     Stats.cc
     Stmt.cc
     Tag.cc
diff --git a/src/ID.h b/src/ID.h
index 9c9a842c39..ee60d4e61c 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -5,7 +5,7 @@
 
 #include "Type.h"
 #include "Attr.h"
-#include "StateAccess.h"
+#include "Notifier.h"
 #include "TraverseTypes.h"
 #include <string>
 
diff --git a/src/StateAccess.cc b/src/Notifier.cc
similarity index 98%
rename from src/StateAccess.cc
rename to src/Notifier.cc
index dcf5ef8b21..15bc334af6 100644
--- a/src/StateAccess.cc
+++ b/src/Notifier.cc
@@ -1,7 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "StateAccess.h"
 #include "DebugLogger.h"
+#include "Notifier.h"
 
 notifier::Registry notifier::registry;
 
diff --git a/src/StateAccess.h b/src/Notifier.h
similarity index 98%
rename from src/StateAccess.h
rename to src/Notifier.h
index 2361801ec4..0a399e526e 100644
--- a/src/StateAccess.h
+++ b/src/Notifier.h
@@ -5,8 +5,8 @@
 // from notifier::Receiver and register the interesting objects with the
 // notification::Registry.
 
-#ifndef STATEACESSS_H
-#define STATEACESSS_H
+#ifndef NOTIFIER_H
+#define NOTIFIER_H
 
 #include <set>
 #include <unordered_map>
diff --git a/src/Trigger.h b/src/Trigger.h
index 0de5499045..2e0c91865f 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -4,7 +4,7 @@
 #include <list>
 #include <map>
 
-#include "StateAccess.h"
+#include "Notifier.h"
 #include "Traverse.h"
 
 // Triggers are the heart of "when" statements: expressions that when
diff --git a/src/Val.h b/src/Val.h
index 8eb33d1f0e..959408da8c 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -18,7 +18,7 @@
 #include "Timer.h"
 #include "ID.h"
 #include "Scope.h"
-#include "StateAccess.h"
+#include "Notifier.h"
 #include "IPAddr.h"
 #include "DebugLogger.h"
 

From e0f9b0829ef85199c2af128a62e4ff0b138ee8fd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 7 Jun 2019 20:06:33 -0700
Subject: [PATCH 47/91] Adapt bro_plugin CMake macros to use zeek_plugin

---
 CHANGES                                       |  4 ++++
 VERSION                                       |  2 +-
 aux/bifcl                                     |  2 +-
 aux/binpac                                    |  2 +-
 aux/broker                                    |  2 +-
 aux/zeek-aux                                  |  2 +-
 aux/zeekctl                                   |  2 +-
 cmake                                         |  2 +-
 src/analyzer/protocol/arp/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/ayiya/CMakeLists.txt    | 10 ++++-----
 src/analyzer/protocol/backdoor/CMakeLists.txt | 10 ++++-----
 .../protocol/bittorrent/CMakeLists.txt        | 12 +++++-----
 .../protocol/conn-size/CMakeLists.txt         | 12 +++++-----
 src/analyzer/protocol/dce-rpc/CMakeLists.txt  | 12 +++++-----
 src/analyzer/protocol/dhcp/CMakeLists.txt     | 14 ++++++------
 src/analyzer/protocol/dnp3/CMakeLists.txt     | 12 +++++-----
 src/analyzer/protocol/dns/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/file/CMakeLists.txt     | 10 ++++-----
 src/analyzer/protocol/finger/CMakeLists.txt   | 10 ++++-----
 src/analyzer/protocol/ftp/CMakeLists.txt      | 12 +++++-----
 src/analyzer/protocol/gnutella/CMakeLists.txt | 10 ++++-----
 src/analyzer/protocol/gssapi/CMakeLists.txt   | 12 +++++-----
 src/analyzer/protocol/gtpv1/CMakeLists.txt    | 12 +++++-----
 src/analyzer/protocol/http/CMakeLists.txt     | 12 +++++-----
 src/analyzer/protocol/icmp/CMakeLists.txt     | 10 ++++-----
 src/analyzer/protocol/ident/CMakeLists.txt    | 10 ++++-----
 src/analyzer/protocol/imap/CMakeLists.txt     | 14 ++++++------
 .../protocol/interconn/CMakeLists.txt         | 10 ++++-----
 src/analyzer/protocol/irc/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/krb/CMakeLists.txt      | 20 ++++++++---------
 src/analyzer/protocol/login/CMakeLists.txt    | 12 +++++-----
 src/analyzer/protocol/mime/CMakeLists.txt     | 10 ++++-----
 src/analyzer/protocol/modbus/CMakeLists.txt   | 12 +++++-----
 src/analyzer/protocol/mysql/CMakeLists.txt    | 12 +++++-----
 src/analyzer/protocol/ncp/CMakeLists.txt      | 12 +++++-----
 src/analyzer/protocol/netbios/CMakeLists.txt  | 12 +++++-----
 src/analyzer/protocol/ntlm/CMakeLists.txt     | 12 +++++-----
 src/analyzer/protocol/ntp/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/pia/CMakeLists.txt      |  8 +++----
 src/analyzer/protocol/pop3/CMakeLists.txt     | 10 ++++-----
 src/analyzer/protocol/radius/CMakeLists.txt   | 12 +++++-----
 src/analyzer/protocol/rdp/CMakeLists.txt      | 14 ++++++------
 src/analyzer/protocol/rfb/CMakeLists.txt      | 12 +++++-----
 src/analyzer/protocol/rpc/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/sip/CMakeLists.txt      | 18 +++++++--------
 src/analyzer/protocol/smb/CMakeLists.txt      | 12 +++++-----
 src/analyzer/protocol/smtp/CMakeLists.txt     | 12 +++++-----
 src/analyzer/protocol/snmp/CMakeLists.txt     | 14 ++++++------
 src/analyzer/protocol/socks/CMakeLists.txt    | 12 +++++-----
 src/analyzer/protocol/ssh/CMakeLists.txt      | 14 ++++++------
 src/analyzer/protocol/ssl/CMakeLists.txt      | 22 +++++++++----------
 .../protocol/stepping-stone/CMakeLists.txt    | 10 ++++-----
 src/analyzer/protocol/syslog/CMakeLists.txt   | 12 +++++-----
 src/analyzer/protocol/tcp/CMakeLists.txt      | 12 +++++-----
 src/analyzer/protocol/teredo/CMakeLists.txt   | 10 ++++-----
 src/analyzer/protocol/udp/CMakeLists.txt      | 10 ++++-----
 src/analyzer/protocol/vxlan/CMakeLists.txt    | 10 ++++-----
 src/analyzer/protocol/xmpp/CMakeLists.txt     | 14 ++++++------
 src/analyzer/protocol/zip/CMakeLists.txt      |  8 +++----
 .../analyzer/data_event/CMakeLists.txt        |  8 +++----
 .../analyzer/entropy/CMakeLists.txt           | 10 ++++-----
 .../analyzer/extract/CMakeLists.txt           | 12 +++++-----
 .../analyzer/hash/CMakeLists.txt              | 10 ++++-----
 src/file_analysis/analyzer/pe/CMakeLists.txt  | 12 +++++-----
 .../analyzer/unified2/CMakeLists.txt          | 12 +++++-----
 .../analyzer/x509/CMakeLists.txt              | 12 +++++-----
 src/input/readers/ascii/CMakeLists.txt        | 10 ++++-----
 src/input/readers/benchmark/CMakeLists.txt    | 10 ++++-----
 src/input/readers/binary/CMakeLists.txt       | 10 ++++-----
 src/input/readers/config/CMakeLists.txt       | 10 ++++-----
 src/input/readers/raw/CMakeLists.txt          | 10 ++++-----
 src/input/readers/sqlite/CMakeLists.txt       | 10 ++++-----
 src/iosource/pcap/CMakeLists.txt              |  8 +++----
 src/logging/writers/ascii/CMakeLists.txt      | 10 ++++-----
 src/logging/writers/none/CMakeLists.txt       | 10 ++++-----
 src/logging/writers/sqlite/CMakeLists.txt     | 10 ++++-----
 76 files changed, 399 insertions(+), 395 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2a676f1ed5..1036ce4e92 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-400 | 2019-06-07 20:06:33 -0700
+
+  * Adapt bro_plugin CMake macros to use zeek_plugin (Jon Siwek, Corelight)
+
 2.6-399 | 2019-06-07 14:02:18 -0700
 
   * Update SSL documentation. (Johanna Amann)
diff --git a/VERSION b/VERSION
index 05c01065ab..348104bb60 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-399
+2.6-400
diff --git a/aux/bifcl b/aux/bifcl
index bbf503e67c..ce92264d71 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit bbf503e67cdcddbb13f8e067b0cbb2d874728c4f
+Subproject commit ce92264d711553c54d0bbc523ce829c0669a8b16
diff --git a/aux/binpac b/aux/binpac
index 6ed824a38e..97a855fc52 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 6ed824a38ea23dc10ec8bb21f813496719e9f76c
+Subproject commit 97a855fc5200506fe0ad0d4a0a7af765d72bb1b2
diff --git a/aux/broker b/aux/broker
index e142a362b4..1b249dc995 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit e142a362b4c712699ac43494a245058948c085c8
+Subproject commit 1b249dc995c6e31314cc2a0559d36460ae37bd75
diff --git a/aux/zeek-aux b/aux/zeek-aux
index bac443d6ce..9a9b106f9f 160000
--- a/aux/zeek-aux
+++ b/aux/zeek-aux
@@ -1 +1 @@
-Subproject commit bac443d6cebca567d3d0da52a25ff4e0bcdd1edd
+Subproject commit 9a9b106f9f2df702260ce0a6391ad047b37d0e48
diff --git a/aux/zeekctl b/aux/zeekctl
index 37275b29f5..a72205e04b 160000
--- a/aux/zeekctl
+++ b/aux/zeekctl
@@ -1 +1 @@
-Subproject commit 37275b29f5fe5fa68808229907a6f7bebcddafdf
+Subproject commit a72205e04bb007ddf5226202cde852937bdb85a5
diff --git a/cmake b/cmake
index 8fb99b7aa9..310498b448 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 8fb99b7aa9851caae2d938675324661571f8758e
+Subproject commit 310498b44868cde4e9a75c399865549d02a0a318
diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt
index eec6755a18..9f28d80296 100644
--- a/src/analyzer/protocol/arp/CMakeLists.txt
+++ b/src/analyzer/protocol/arp/CMakeLists.txt
@@ -4,12 +4,12 @@
 # it's also parsing a protocol just like them. The current structure
 # is merely a left-over from when this code was written.
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ARP)
-bro_plugin_cc(ARP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro ARP)
+zeek_plugin_cc(ARP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
index 50113b72d7..6ad6cfcf17 100644
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ b/src/analyzer/protocol/ayiya/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro AYIYA)
-bro_plugin_cc(AYIYA.cc Plugin.cc)
-bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro AYIYA)
+zeek_plugin_cc(AYIYA.cc Plugin.cc)
+zeek_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt
index 5df04769f6..d45396f99d 100644
--- a/src/analyzer/protocol/backdoor/CMakeLists.txt
+++ b/src/analyzer/protocol/backdoor/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BackDoor)
-bro_plugin_cc(BackDoor.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro BackDoor)
+zeek_plugin_cc(BackDoor.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt
index 630ea03498..c7c8c82d2b 100644
--- a/src/analyzer/protocol/bittorrent/CMakeLists.txt
+++ b/src/analyzer/protocol/bittorrent/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BitTorrent)
-bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro BitTorrent)
+zeek_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt
index f89a6e5b88..fb2e7f68da 100644
--- a/src/analyzer/protocol/conn-size/CMakeLists.txt
+++ b/src/analyzer/protocol/conn-size/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ConnSize)
-bro_plugin_cc(ConnSize.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro ConnSize)
+zeek_plugin_cc(ConnSize.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
index 959e6ac87c..db499691d7 100644
--- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
@@ -1,12 +1,12 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DCE_RPC)
-bro_plugin_cc(DCE_RPC.cc Plugin.cc)
-bro_plugin_bif(consts.bif types.bif events.bif)
-bro_plugin_pac(
+zeek_plugin_begin(Bro DCE_RPC)
+zeek_plugin_cc(DCE_RPC.cc Plugin.cc)
+zeek_plugin_bif(consts.bif types.bif events.bif)
+zeek_plugin_pac(
     dce_rpc.pac
     dce_rpc-protocol.pac
     dce_rpc-analyzer.pac
@@ -14,5 +14,5 @@ bro_plugin_pac(
     endpoint-atsvc.pac
     endpoint-epmapper.pac
     )
-bro_plugin_end()
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index 6077adfeb6..df79660338 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -1,11 +1,11 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DHCP)
-bro_plugin_cc(DHCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(types.bif)
-bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro DHCP)
+zeek_plugin_cc(DHCP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(types.bif)
+zeek_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/dnp3/CMakeLists.txt b/src/analyzer/protocol/dnp3/CMakeLists.txt
index b1c0f0b760..9134412a57 100644
--- a/src/analyzer/protocol/dnp3/CMakeLists.txt
+++ b/src/analyzer/protocol/dnp3/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DNP3)
-bro_plugin_cc(DNP3.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro DNP3)
+zeek_plugin_cc(DNP3.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt
index c63b2dc690..bb01552bf5 100644
--- a/src/analyzer/protocol/dns/CMakeLists.txt
+++ b/src/analyzer/protocol/dns/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DNS)
-bro_plugin_cc(DNS.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro DNS)
+zeek_plugin_cc(DNS.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt
index 978c28c9c4..0746f8d785 100644
--- a/src/analyzer/protocol/file/CMakeLists.txt
+++ b/src/analyzer/protocol/file/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro File)
-bro_plugin_cc(File.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro File)
+zeek_plugin_cc(File.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt
index 52dd3816f9..095b3e81ec 100644
--- a/src/analyzer/protocol/finger/CMakeLists.txt
+++ b/src/analyzer/protocol/finger/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Finger)
-bro_plugin_cc(Finger.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro Finger)
+zeek_plugin_cc(Finger.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt
index ab657f9260..f55edec611 100644
--- a/src/analyzer/protocol/ftp/CMakeLists.txt
+++ b/src/analyzer/protocol/ftp/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro FTP)
-bro_plugin_cc(FTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro FTP)
+zeek_plugin_cc(FTP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt
index ee5415b924..254fd667ff 100644
--- a/src/analyzer/protocol/gnutella/CMakeLists.txt
+++ b/src/analyzer/protocol/gnutella/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Gnutella)
-bro_plugin_cc(Gnutella.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro Gnutella)
+zeek_plugin_cc(Gnutella.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index d826d36bf7..0ed07e2263 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -1,16 +1,16 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro GSSAPI)
-bro_plugin_cc(GSSAPI.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(
+zeek_plugin_begin(Bro GSSAPI)
+zeek_plugin_cc(GSSAPI.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(
     gssapi.pac 
     gssapi-protocol.pac
     gssapi-analyzer.pac
     ../asn1/asn1.pac
     )
-bro_plugin_end()
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt
index b45f32e883..0c2f243eda 100644
--- a/src/analyzer/protocol/gtpv1/CMakeLists.txt
+++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro GTPv1)
-bro_plugin_cc(GTPv1.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro GTPv1)
+zeek_plugin_cc(GTPv1.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt
index 663d343eb3..555252b2d6 100644
--- a/src/analyzer/protocol/http/CMakeLists.txt
+++ b/src/analyzer/protocol/http/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro HTTP)
-bro_plugin_cc(HTTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro HTTP)
+zeek_plugin_cc(HTTP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt
index 7b8bd9c7fe..0dfcea50ef 100644
--- a/src/analyzer/protocol/icmp/CMakeLists.txt
+++ b/src/analyzer/protocol/icmp/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ICMP)
-bro_plugin_cc(ICMP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro ICMP)
+zeek_plugin_cc(ICMP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt
index 658dff141e..eed123d31c 100644
--- a/src/analyzer/protocol/ident/CMakeLists.txt
+++ b/src/analyzer/protocol/ident/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Ident)
-bro_plugin_cc(Ident.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro Ident)
+zeek_plugin_cc(Ident.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
index 921dde2444..0a84b0ce09 100644
--- a/src/analyzer/protocol/imap/CMakeLists.txt
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -1,12 +1,12 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro IMAP)
-bro_plugin_cc(Plugin.cc)
-bro_plugin_cc(IMAP.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro IMAP)
+zeek_plugin_cc(Plugin.cc)
+zeek_plugin_cc(IMAP.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt
index ef5ca13a9a..0a00a441f1 100644
--- a/src/analyzer/protocol/interconn/CMakeLists.txt
+++ b/src/analyzer/protocol/interconn/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro InterConn)
-bro_plugin_cc(InterConn.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro InterConn)
+zeek_plugin_cc(InterConn.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt
index 5f97482365..50e4dcb90d 100644
--- a/src/analyzer/protocol/irc/CMakeLists.txt
+++ b/src/analyzer/protocol/irc/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro IRC)
-bro_plugin_cc(IRC.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro IRC)
+zeek_plugin_cc(IRC.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt
index 1cac35d626..bf82ca0b64 100644
--- a/src/analyzer/protocol/krb/CMakeLists.txt
+++ b/src/analyzer/protocol/krb/CMakeLists.txt
@@ -1,26 +1,26 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro KRB)
-bro_plugin_cc(Plugin.cc)
-bro_plugin_cc(KRB.cc)
-bro_plugin_cc(KRB_TCP.cc)
-bro_plugin_bif(types.bif)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(krb.pac krb-protocol.pac krb-analyzer.pac
+zeek_plugin_begin(Bro KRB)
+zeek_plugin_cc(Plugin.cc)
+zeek_plugin_cc(KRB.cc)
+zeek_plugin_cc(KRB_TCP.cc)
+zeek_plugin_bif(types.bif)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(krb.pac krb-protocol.pac krb-analyzer.pac
 	krb-asn1.pac
 	krb-defs.pac
 	krb-types.pac
 	krb-padata.pac
 	../asn1/asn1.pac
 )
-bro_plugin_pac(krb_TCP.pac krb-protocol.pac krb-analyzer.pac
+zeek_plugin_pac(krb_TCP.pac krb-protocol.pac krb-analyzer.pac
 	krb-asn1.pac
 	krb-defs.pac
     krb-types.pac
 	krb-padata.pac
 	../asn1/asn1.pac
 )
-bro_plugin_end()
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt
index 66f8eb1568..98eecb7300 100644
--- a/src/analyzer/protocol/login/CMakeLists.txt
+++ b/src/analyzer/protocol/login/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Login)
-bro_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro Login)
+zeek_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt
index 0a038625f8..571ac2de9f 100644
--- a/src/analyzer/protocol/mime/CMakeLists.txt
+++ b/src/analyzer/protocol/mime/CMakeLists.txt
@@ -4,12 +4,12 @@
 # it's also parsing a protocol just like them. The current structure
 # is merely a left-over from when this code was written.
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro MIME)
-bro_plugin_cc(MIME.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro MIME)
+zeek_plugin_cc(MIME.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt
index e6705cdd22..210609f504 100644
--- a/src/analyzer/protocol/modbus/CMakeLists.txt
+++ b/src/analyzer/protocol/modbus/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Modbus)
-bro_plugin_cc(Modbus.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro Modbus)
+zeek_plugin_cc(Modbus.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/mysql/CMakeLists.txt b/src/analyzer/protocol/mysql/CMakeLists.txt
index 13558417ec..01dbefdd3f 100644
--- a/src/analyzer/protocol/mysql/CMakeLists.txt
+++ b/src/analyzer/protocol/mysql/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro MySQL)
-	bro_plugin_cc(MySQL.cc Plugin.cc)
-	bro_plugin_bif(events.bif)
-	bro_plugin_pac(mysql.pac mysql-analyzer.pac mysql-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro MySQL)
+	zeek_plugin_cc(MySQL.cc Plugin.cc)
+	zeek_plugin_bif(events.bif)
+	zeek_plugin_pac(mysql.pac mysql-analyzer.pac mysql-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt
index 1ec5cf2e67..0257c5aba6 100644
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro NCP)
-bro_plugin_cc(NCP.cc Plugin.cc)
-bro_plugin_bif(events.bif consts.bif)
-bro_plugin_pac(ncp.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro NCP)
+zeek_plugin_cc(NCP.cc Plugin.cc)
+zeek_plugin_bif(events.bif consts.bif)
+zeek_plugin_pac(ncp.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt
index ad6009d171..3f4e53ac66 100644
--- a/src/analyzer/protocol/netbios/CMakeLists.txt
+++ b/src/analyzer/protocol/netbios/CMakeLists.txt
@@ -1,13 +1,13 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
 include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../smb)
 
-bro_plugin_begin(Bro NetBIOS)
-bro_plugin_cc(NetbiosSSN.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro NetBIOS)
+zeek_plugin_cc(NetbiosSSN.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/ntlm/CMakeLists.txt b/src/analyzer/protocol/ntlm/CMakeLists.txt
index fe2d4115e9..e7adf7470c 100644
--- a/src/analyzer/protocol/ntlm/CMakeLists.txt
+++ b/src/analyzer/protocol/ntlm/CMakeLists.txt
@@ -1,15 +1,15 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro NTLM)
-bro_plugin_cc(NTLM.cc Plugin.cc)
-bro_plugin_bif(types.bif events.bif)
-bro_plugin_pac(
+zeek_plugin_begin(Bro NTLM)
+zeek_plugin_cc(NTLM.cc Plugin.cc)
+zeek_plugin_bif(types.bif events.bif)
+zeek_plugin_pac(
     ntlm.pac
     ntlm-protocol.pac
     ntlm-analyzer.pac
     )
-bro_plugin_end()
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index a8b8bb1872..d541755904 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro NTP)
-bro_plugin_cc(NTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro NTP)
+zeek_plugin_cc(NTP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index 02397f7aff..d00030f20a 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -1,8 +1,8 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro PIA)
-bro_plugin_cc(PIA.cc Plugin.cc)
-bro_plugin_end()
+zeek_plugin_begin(Bro PIA)
+zeek_plugin_cc(PIA.cc Plugin.cc)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt
index 8071d6a74d..2c17c3472b 100644
--- a/src/analyzer/protocol/pop3/CMakeLists.txt
+++ b/src/analyzer/protocol/pop3/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro POP3)
-bro_plugin_cc(POP3.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro POP3)
+zeek_plugin_cc(POP3.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/radius/CMakeLists.txt b/src/analyzer/protocol/radius/CMakeLists.txt
index 077d71d7c7..14fdcda418 100644
--- a/src/analyzer/protocol/radius/CMakeLists.txt
+++ b/src/analyzer/protocol/radius/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro RADIUS)
-bro_plugin_cc(RADIUS.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro RADIUS)
+zeek_plugin_cc(RADIUS.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/rdp/CMakeLists.txt b/src/analyzer/protocol/rdp/CMakeLists.txt
index c94afaa052..8e0e821f5a 100644
--- a/src/analyzer/protocol/rdp/CMakeLists.txt
+++ b/src/analyzer/protocol/rdp/CMakeLists.txt
@@ -1,10 +1,10 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro RDP)
-	bro_plugin_cc(RDP.cc Plugin.cc)
-	bro_plugin_bif(events.bif)
-	bro_plugin_bif(types.bif)
-	bro_plugin_pac(rdp.pac rdp-analyzer.pac rdp-protocol.pac ../asn1/asn1.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro RDP)
+	zeek_plugin_cc(RDP.cc Plugin.cc)
+	zeek_plugin_bif(events.bif)
+	zeek_plugin_bif(types.bif)
+	zeek_plugin_pac(rdp.pac rdp-analyzer.pac rdp-protocol.pac ../asn1/asn1.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt
index 28523bfe2d..72b4bc240e 100644
--- a/src/analyzer/protocol/rfb/CMakeLists.txt
+++ b/src/analyzer/protocol/rfb/CMakeLists.txt
@@ -1,9 +1,9 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro RFB)
-	bro_plugin_cc(RFB.cc Plugin.cc)
-	bro_plugin_bif(events.bif)
-	bro_plugin_pac(rfb.pac rfb-analyzer.pac rfb-protocol.pac)
-bro_plugin_end()
\ No newline at end of file
+zeek_plugin_begin(Bro RFB)
+	zeek_plugin_cc(RFB.cc Plugin.cc)
+	zeek_plugin_bif(events.bif)
+	zeek_plugin_pac(rfb.pac rfb-analyzer.pac rfb-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt
index c71c6ddd9a..82168bb364 100644
--- a/src/analyzer/protocol/rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/rpc/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro RPC)
-bro_plugin_cc(RPC.cc NFS.cc MOUNT.cc Portmap.cc XDR.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro RPC)
+zeek_plugin_cc(RPC.cc NFS.cc MOUNT.cc Portmap.cc XDR.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/sip/CMakeLists.txt b/src/analyzer/protocol/sip/CMakeLists.txt
index 6b42d2519a..d9e2871063 100644
--- a/src/analyzer/protocol/sip/CMakeLists.txt
+++ b/src/analyzer/protocol/sip/CMakeLists.txt
@@ -1,14 +1,14 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SIP)
-bro_plugin_cc(Plugin.cc)
-bro_plugin_cc(SIP.cc)
-bro_plugin_cc(SIP_TCP.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(sip.pac sip-analyzer.pac sip-protocol.pac)
-bro_plugin_pac(sip_TCP.pac sip-protocol.pac sip-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro SIP)
+zeek_plugin_cc(Plugin.cc)
+zeek_plugin_cc(SIP.cc)
+zeek_plugin_cc(SIP_TCP.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(sip.pac sip-analyzer.pac sip-protocol.pac)
+zeek_plugin_pac(sip_TCP.pac sip-protocol.pac sip-analyzer.pac)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index b156d185bc..04e6720b57 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -1,11 +1,11 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 include_directories(AFTER  ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
 
-bro_plugin_begin(Bro SMB)
-bro_plugin_cc(SMB.cc Plugin.cc)
-bro_plugin_bif(
+zeek_plugin_begin(Bro SMB)
+zeek_plugin_cc(SMB.cc Plugin.cc)
+zeek_plugin_bif(
 	smb1_com_check_directory.bif
 	smb1_com_close.bif
 	smb1_com_create_directory.bif
@@ -42,7 +42,7 @@ bro_plugin_bif(
 	consts.bif
 
 	types.bif)
-bro_plugin_pac(
+zeek_plugin_pac(
 	smb.pac
 	smb-common.pac
 	smb-strings.pac
@@ -87,4 +87,4 @@ bro_plugin_pac(
 	smb2-com-write.pac
 	smb2-com-transform-header.pac
 )
-bro_plugin_end()
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt
index 82918656a0..f338ebc4c7 100644
--- a/src/analyzer/protocol/smtp/CMakeLists.txt
+++ b/src/analyzer/protocol/smtp/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SMTP)
-bro_plugin_cc(SMTP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro SMTP)
+zeek_plugin_cc(SMTP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/snmp/CMakeLists.txt b/src/analyzer/protocol/snmp/CMakeLists.txt
index 43cbf45ac4..66c096bc03 100644
--- a/src/analyzer/protocol/snmp/CMakeLists.txt
+++ b/src/analyzer/protocol/snmp/CMakeLists.txt
@@ -1,11 +1,11 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SNMP)
-bro_plugin_cc(SNMP.cc Plugin.cc)
-bro_plugin_bif(types.bif)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(snmp.pac snmp-protocol.pac snmp-analyzer.pac ../asn1/asn1.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro SNMP)
+zeek_plugin_cc(SNMP.cc Plugin.cc)
+zeek_plugin_bif(types.bif)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(snmp.pac snmp-protocol.pac snmp-analyzer.pac ../asn1/asn1.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt
index 5157c8d368..3fbc88b83a 100644
--- a/src/analyzer/protocol/socks/CMakeLists.txt
+++ b/src/analyzer/protocol/socks/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SOCKS)
-bro_plugin_cc(SOCKS.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro SOCKS)
+zeek_plugin_cc(SOCKS.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt
index b7d8b50b4a..66fe3eb1a4 100644
--- a/src/analyzer/protocol/ssh/CMakeLists.txt
+++ b/src/analyzer/protocol/ssh/CMakeLists.txt
@@ -1,11 +1,11 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SSH)
-	bro_plugin_cc(SSH.cc Plugin.cc)
-	bro_plugin_bif(types.bif)
-	bro_plugin_bif(events.bif)
-	bro_plugin_pac(ssh.pac ssh-analyzer.pac ssh-protocol.pac consts.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro SSH)
+	zeek_plugin_cc(SSH.cc Plugin.cc)
+	zeek_plugin_bif(types.bif)
+	zeek_plugin_bif(events.bif)
+	zeek_plugin_pac(ssh.pac ssh-analyzer.pac ssh-protocol.pac consts.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 3193470635..52b75f1336 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -1,24 +1,24 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SSL)
-bro_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
-bro_plugin_bif(types.bif)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_bif(consts.bif)
-bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac
+zeek_plugin_begin(Bro SSL)
+zeek_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
+zeek_plugin_bif(types.bif)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_bif(consts.bif)
+zeek_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac
 	proc-client-hello.pac
 	proc-server-hello.pac
 	proc-certificate.pac
 	tls-handshake-signed_certificate_timestamp.pac
 )
-bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
+zeek_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
 	proc-client-hello.pac
 	proc-server-hello.pac
 	proc-certificate.pac
 )
-bro_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac)
-bro_plugin_end()
+zeek_plugin_pac(dtls.pac ssl-dtls-analyzer.pac dtls-analyzer.pac ssl-dtls-protocol.pac dtls-protocol.pac ssl-defs.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt
index 042f5bc858..91888ac5cb 100644
--- a/src/analyzer/protocol/stepping-stone/CMakeLists.txt
+++ b/src/analyzer/protocol/stepping-stone/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SteppingStone)
-bro_plugin_cc(SteppingStone.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro SteppingStone)
+zeek_plugin_cc(SteppingStone.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt
index 5366f94642..81f58c86c3 100644
--- a/src/analyzer/protocol/syslog/CMakeLists.txt
+++ b/src/analyzer/protocol/syslog/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Syslog)
-bro_plugin_cc(Syslog.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro Syslog)
+zeek_plugin_cc(Syslog.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt
index d4b2dc3eab..af91902f51 100644
--- a/src/analyzer/protocol/tcp/CMakeLists.txt
+++ b/src/analyzer/protocol/tcp/CMakeLists.txt
@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro TCP)
-bro_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro TCP)
+zeek_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt
index c9c4a84db6..d5e68bb86e 100644
--- a/src/analyzer/protocol/teredo/CMakeLists.txt
+++ b/src/analyzer/protocol/teredo/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Teredo)
-bro_plugin_cc(Teredo.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro Teredo)
+zeek_plugin_cc(Teredo.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt
index 0c92be60a3..4c9e252a08 100644
--- a/src/analyzer/protocol/udp/CMakeLists.txt
+++ b/src/analyzer/protocol/udp/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro UDP)
-bro_plugin_cc(UDP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro UDP)
+zeek_plugin_cc(UDP.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt
index e531555321..438250cdea 100644
--- a/src/analyzer/protocol/vxlan/CMakeLists.txt
+++ b/src/analyzer/protocol/vxlan/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro VXLAN)
-bro_plugin_cc(VXLAN.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro VXLAN)
+zeek_plugin_cc(VXLAN.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
index ec5bb84837..93b866c2a8 100644
--- a/src/analyzer/protocol/xmpp/CMakeLists.txt
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -1,12 +1,12 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro XMPP)
-bro_plugin_cc(Plugin.cc)
-bro_plugin_cc(XMPP.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(xmpp.pac xmpp-analyzer.pac xmpp-protocol.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro XMPP)
+zeek_plugin_cc(Plugin.cc)
+zeek_plugin_cc(XMPP.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(xmpp.pac xmpp-analyzer.pac xmpp-protocol.pac)
+zeek_plugin_end()
 
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index 40c64afd6e..5fc7e901ec 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -1,8 +1,8 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ZIP)
-bro_plugin_cc(ZIP.cc Plugin.cc)
-bro_plugin_end()
+zeek_plugin_begin(Bro ZIP)
+zeek_plugin_cc(ZIP.cc Plugin.cc)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/data_event/CMakeLists.txt b/src/file_analysis/analyzer/data_event/CMakeLists.txt
index 49e23d49a0..cbba53cdbc 100644
--- a/src/file_analysis/analyzer/data_event/CMakeLists.txt
+++ b/src/file_analysis/analyzer/data_event/CMakeLists.txt
@@ -1,8 +1,8 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro FileDataEvent)
-bro_plugin_cc(DataEvent.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_end()
+zeek_plugin_begin(Bro FileDataEvent)
+zeek_plugin_cc(DataEvent.cc Plugin.cc ../../Analyzer.cc)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/entropy/CMakeLists.txt b/src/file_analysis/analyzer/entropy/CMakeLists.txt
index 38db5e726a..6eba4e85a3 100644
--- a/src/file_analysis/analyzer/entropy/CMakeLists.txt
+++ b/src/file_analysis/analyzer/entropy/CMakeLists.txt
@@ -1,9 +1,9 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro FileEntropy)
-bro_plugin_cc(Entropy.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro FileEntropy)
+zeek_plugin_cc(Entropy.cc Plugin.cc ../../Analyzer.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/extract/CMakeLists.txt b/src/file_analysis/analyzer/extract/CMakeLists.txt
index 5f96f4f01b..4588152fde 100644
--- a/src/file_analysis/analyzer/extract/CMakeLists.txt
+++ b/src/file_analysis/analyzer/extract/CMakeLists.txt
@@ -1,10 +1,10 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro FileExtract)
-bro_plugin_cc(Extract.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro FileExtract)
+zeek_plugin_cc(Extract.cc Plugin.cc ../../Analyzer.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/hash/CMakeLists.txt b/src/file_analysis/analyzer/hash/CMakeLists.txt
index 0e3143ee05..bfa975f682 100644
--- a/src/file_analysis/analyzer/hash/CMakeLists.txt
+++ b/src/file_analysis/analyzer/hash/CMakeLists.txt
@@ -1,9 +1,9 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro FileHash)
-bro_plugin_cc(Hash.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro FileHash)
+zeek_plugin_cc(Hash.cc Plugin.cc ../../Analyzer.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt
index 5708f98e8f..b380c5ffef 100644
--- a/src/file_analysis/analyzer/pe/CMakeLists.txt
+++ b/src/file_analysis/analyzer/pe/CMakeLists.txt
@@ -1,12 +1,12 @@
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro PE)
-bro_plugin_cc(PE.cc Plugin.cc)
-bro_plugin_bif(events.bif)
-bro_plugin_pac(
+zeek_plugin_begin(Bro PE)
+zeek_plugin_cc(PE.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(
   pe.pac
   pe-analyzer.pac
   pe-file-headers.pac
@@ -14,4 +14,4 @@ bro_plugin_pac(
   pe-file.pac
   pe-file-types.pac
 )
-bro_plugin_end()
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/unified2/CMakeLists.txt b/src/file_analysis/analyzer/unified2/CMakeLists.txt
index 4a9b11ef92..487cf152be 100644
--- a/src/file_analysis/analyzer/unified2/CMakeLists.txt
+++ b/src/file_analysis/analyzer/unified2/CMakeLists.txt
@@ -1,11 +1,11 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Unified2)
-bro_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_bif(events.bif types.bif)
-bro_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro Unified2)
+zeek_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc)
+zeek_plugin_bif(events.bif types.bif)
+zeek_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
+zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index a4c5767e56..fae96dd726 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -1,11 +1,11 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
-bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
-bro_plugin_end()
+zeek_plugin_begin(Bro X509)
+zeek_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
+zeek_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
+zeek_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
+zeek_plugin_end()
diff --git a/src/input/readers/ascii/CMakeLists.txt b/src/input/readers/ascii/CMakeLists.txt
index 267bb9a7ab..5c69899b55 100644
--- a/src/input/readers/ascii/CMakeLists.txt
+++ b/src/input/readers/ascii/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro AsciiReader)
-bro_plugin_cc(Ascii.cc Plugin.cc)
-bro_plugin_bif(ascii.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro AsciiReader)
+zeek_plugin_cc(Ascii.cc Plugin.cc)
+zeek_plugin_bif(ascii.bif)
+zeek_plugin_end()
diff --git a/src/input/readers/benchmark/CMakeLists.txt b/src/input/readers/benchmark/CMakeLists.txt
index 3b3a34ae47..96c3b8bba5 100644
--- a/src/input/readers/benchmark/CMakeLists.txt
+++ b/src/input/readers/benchmark/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BenchmarkReader)
-bro_plugin_cc(Benchmark.cc Plugin.cc)
-bro_plugin_bif(benchmark.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro BenchmarkReader)
+zeek_plugin_cc(Benchmark.cc Plugin.cc)
+zeek_plugin_bif(benchmark.bif)
+zeek_plugin_end()
diff --git a/src/input/readers/binary/CMakeLists.txt b/src/input/readers/binary/CMakeLists.txt
index 800c3b7567..17859ce2b3 100644
--- a/src/input/readers/binary/CMakeLists.txt
+++ b/src/input/readers/binary/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BinaryReader)
-bro_plugin_cc(Binary.cc Plugin.cc)
-bro_plugin_bif(binary.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro BinaryReader)
+zeek_plugin_cc(Binary.cc Plugin.cc)
+zeek_plugin_bif(binary.bif)
+zeek_plugin_end()
diff --git a/src/input/readers/config/CMakeLists.txt b/src/input/readers/config/CMakeLists.txt
index 8e4c1aa5aa..7ea9a3681a 100644
--- a/src/input/readers/config/CMakeLists.txt
+++ b/src/input/readers/config/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ConfigReader)
-bro_plugin_cc(Config.cc Plugin.cc)
-bro_plugin_bif(config.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro ConfigReader)
+zeek_plugin_cc(Config.cc Plugin.cc)
+zeek_plugin_bif(config.bif)
+zeek_plugin_end()
diff --git a/src/input/readers/raw/CMakeLists.txt b/src/input/readers/raw/CMakeLists.txt
index 5540d70202..166524fa9a 100644
--- a/src/input/readers/raw/CMakeLists.txt
+++ b/src/input/readers/raw/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro RawReader)
-bro_plugin_cc(Raw.cc Plugin.cc)
-bro_plugin_bif(raw.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro RawReader)
+zeek_plugin_cc(Raw.cc Plugin.cc)
+zeek_plugin_bif(raw.bif)
+zeek_plugin_end()
diff --git a/src/input/readers/sqlite/CMakeLists.txt b/src/input/readers/sqlite/CMakeLists.txt
index 3c513127dc..8be6247c69 100644
--- a/src/input/readers/sqlite/CMakeLists.txt
+++ b/src/input/readers/sqlite/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SQLiteReader)
-bro_plugin_cc(SQLite.cc Plugin.cc)
-bro_plugin_bif(sqlite.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro SQLiteReader)
+zeek_plugin_cc(SQLite.cc Plugin.cc)
+zeek_plugin_bif(sqlite.bif)
+zeek_plugin_end()
diff --git a/src/iosource/pcap/CMakeLists.txt b/src/iosource/pcap/CMakeLists.txt
index fbfffff051..e003cf36f3 100644
--- a/src/iosource/pcap/CMakeLists.txt
+++ b/src/iosource/pcap/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Pcap)
-bro_plugin_cc(Source.cc Dumper.cc Plugin.cc)
+zeek_plugin_begin(Bro Pcap)
+zeek_plugin_cc(Source.cc Dumper.cc Plugin.cc)
 bif_target(pcap.bif)
-bro_plugin_end()
+zeek_plugin_end()
diff --git a/src/logging/writers/ascii/CMakeLists.txt b/src/logging/writers/ascii/CMakeLists.txt
index 0cb0357a0d..e4c7789ed0 100644
--- a/src/logging/writers/ascii/CMakeLists.txt
+++ b/src/logging/writers/ascii/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro AsciiWriter)
-bro_plugin_cc(Ascii.cc Plugin.cc)
-bro_plugin_bif(ascii.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro AsciiWriter)
+zeek_plugin_cc(Ascii.cc Plugin.cc)
+zeek_plugin_bif(ascii.bif)
+zeek_plugin_end()
diff --git a/src/logging/writers/none/CMakeLists.txt b/src/logging/writers/none/CMakeLists.txt
index f6e1265772..1cd0f413e1 100644
--- a/src/logging/writers/none/CMakeLists.txt
+++ b/src/logging/writers/none/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro NoneWriter)
-bro_plugin_cc(None.cc Plugin.cc)
-bro_plugin_bif(none.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro NoneWriter)
+zeek_plugin_cc(None.cc Plugin.cc)
+zeek_plugin_bif(none.bif)
+zeek_plugin_end()
diff --git a/src/logging/writers/sqlite/CMakeLists.txt b/src/logging/writers/sqlite/CMakeLists.txt
index ce25251679..9d2f06d4ef 100644
--- a/src/logging/writers/sqlite/CMakeLists.txt
+++ b/src/logging/writers/sqlite/CMakeLists.txt
@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro SQLiteWriter)
-bro_plugin_cc(SQLite.cc Plugin.cc)
-bro_plugin_bif(sqlite.bif)
-bro_plugin_end()
+zeek_plugin_begin(Bro SQLiteWriter)
+zeek_plugin_cc(SQLite.cc Plugin.cc)
+zeek_plugin_bif(sqlite.bif)
+zeek_plugin_end()

From 5331bf10ecf94730823651c290146d974422b002 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 7 Jun 2019 20:55:03 -0700
Subject: [PATCH 48/91] GH-323: change builtin plugin namespaces to Zeek

---
 NEWS                                          |   3 +
 scripts/base/init-bare.zeek                   |   4 +-
 src/analyzer/protocol/arp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/arp/Plugin.cc           |   4 +-
 src/analyzer/protocol/ayiya/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/ayiya/Plugin.cc         |   4 +-
 src/analyzer/protocol/backdoor/CMakeLists.txt |   2 +-
 src/analyzer/protocol/backdoor/Plugin.cc      |   4 +-
 .../protocol/bittorrent/CMakeLists.txt        |   2 +-
 src/analyzer/protocol/bittorrent/Plugin.cc    |   4 +-
 .../protocol/conn-size/CMakeLists.txt         |   2 +-
 src/analyzer/protocol/conn-size/Plugin.cc     |   4 +-
 src/analyzer/protocol/dce-rpc/CMakeLists.txt  |   2 +-
 src/analyzer/protocol/dce-rpc/Plugin.cc       |   4 +-
 src/analyzer/protocol/dhcp/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/dhcp/Plugin.cc          |   4 +-
 src/analyzer/protocol/dnp3/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/dnp3/Plugin.cc          |   4 +-
 src/analyzer/protocol/dns/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/dns/Plugin.cc           |   4 +-
 src/analyzer/protocol/file/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/file/Plugin.cc          |   4 +-
 src/analyzer/protocol/finger/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/finger/Plugin.cc        |   4 +-
 src/analyzer/protocol/ftp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ftp/Plugin.cc           |   4 +-
 src/analyzer/protocol/gnutella/CMakeLists.txt |   2 +-
 src/analyzer/protocol/gnutella/Plugin.cc      |   4 +-
 src/analyzer/protocol/gssapi/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/gssapi/Plugin.cc        |   4 +-
 src/analyzer/protocol/gtpv1/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/gtpv1/Plugin.cc         |   4 +-
 src/analyzer/protocol/http/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/http/Plugin.cc          |   4 +-
 src/analyzer/protocol/icmp/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/icmp/Plugin.cc          |   4 +-
 src/analyzer/protocol/ident/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/ident/Plugin.cc         |   4 +-
 src/analyzer/protocol/imap/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/imap/Plugin.cc          |   4 +-
 .../protocol/interconn/CMakeLists.txt         |   2 +-
 src/analyzer/protocol/interconn/Plugin.cc     |   4 +-
 src/analyzer/protocol/irc/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/irc/Plugin.cc           |   4 +-
 src/analyzer/protocol/krb/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/krb/Plugin.cc           |   4 +-
 src/analyzer/protocol/login/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/login/Plugin.cc         |   4 +-
 src/analyzer/protocol/mime/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/mime/Plugin.cc          |   4 +-
 src/analyzer/protocol/modbus/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/modbus/Plugin.cc        |   4 +-
 src/analyzer/protocol/mysql/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/mysql/Plugin.cc         |   4 +-
 src/analyzer/protocol/ncp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ncp/Plugin.cc           |   4 +-
 src/analyzer/protocol/netbios/CMakeLists.txt  |   2 +-
 src/analyzer/protocol/netbios/Plugin.cc       |   4 +-
 src/analyzer/protocol/ntlm/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/ntlm/Plugin.cc          |   4 +-
 src/analyzer/protocol/ntp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ntp/Plugin.cc           |   4 +-
 src/analyzer/protocol/pia/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/pia/Plugin.cc           |   4 +-
 src/analyzer/protocol/pop3/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/pop3/Plugin.cc          |   4 +-
 src/analyzer/protocol/radius/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/radius/Plugin.cc        |   4 +-
 src/analyzer/protocol/rdp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/rdp/Plugin.cc           |   4 +-
 src/analyzer/protocol/rfb/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/rfb/Plugin.cc           |   6 +-
 src/analyzer/protocol/rpc/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/rpc/Plugin.cc           |   4 +-
 src/analyzer/protocol/sip/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/sip/Plugin.cc           |   4 +-
 src/analyzer/protocol/smb/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/smb/Plugin.cc           |   4 +-
 src/analyzer/protocol/smtp/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/smtp/Plugin.cc          |   4 +-
 src/analyzer/protocol/snmp/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/snmp/Plugin.cc          |   4 +-
 src/analyzer/protocol/socks/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/socks/Plugin.cc         |   4 +-
 src/analyzer/protocol/ssh/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ssh/Plugin.cc           |   4 +-
 src/analyzer/protocol/ssl/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ssl/Plugin.cc           |   4 +-
 .../protocol/stepping-stone/CMakeLists.txt    |   2 +-
 .../protocol/stepping-stone/Plugin.cc         |   4 +-
 src/analyzer/protocol/syslog/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/syslog/Plugin.cc        |   4 +-
 src/analyzer/protocol/tcp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/tcp/Plugin.cc           |   4 +-
 src/analyzer/protocol/teredo/CMakeLists.txt   |   2 +-
 src/analyzer/protocol/teredo/Plugin.cc        |   4 +-
 src/analyzer/protocol/udp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/udp/Plugin.cc           |   4 +-
 src/analyzer/protocol/vxlan/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/vxlan/Plugin.cc         |   4 +-
 src/analyzer/protocol/xmpp/CMakeLists.txt     |   2 +-
 src/analyzer/protocol/xmpp/Plugin.cc          |   4 +-
 src/analyzer/protocol/zip/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/zip/Plugin.cc           |   4 +-
 .../analyzer/data_event/CMakeLists.txt        |   2 +-
 .../analyzer/data_event/Plugin.cc             |   4 +-
 .../analyzer/entropy/CMakeLists.txt           |   2 +-
 src/file_analysis/analyzer/entropy/Plugin.cc  |   4 +-
 .../analyzer/extract/CMakeLists.txt           |   2 +-
 src/file_analysis/analyzer/extract/Plugin.cc  |   4 +-
 .../analyzer/hash/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/hash/Plugin.cc     |   4 +-
 src/file_analysis/analyzer/pe/CMakeLists.txt  |   2 +-
 src/file_analysis/analyzer/pe/Plugin.cc       |   4 +-
 .../analyzer/unified2/CMakeLists.txt          |   2 +-
 src/file_analysis/analyzer/unified2/Plugin.cc |   4 +-
 .../analyzer/x509/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/x509/Plugin.cc     |   4 +-
 src/input/readers/ascii/CMakeLists.txt        |   2 +-
 src/input/readers/ascii/Plugin.cc             |   4 +-
 src/input/readers/benchmark/CMakeLists.txt    |   2 +-
 src/input/readers/benchmark/Plugin.cc         |   4 +-
 src/input/readers/binary/CMakeLists.txt       |   2 +-
 src/input/readers/binary/Plugin.cc            |   4 +-
 src/input/readers/config/CMakeLists.txt       |   2 +-
 src/input/readers/config/Plugin.cc            |   4 +-
 src/input/readers/raw/CMakeLists.txt          |   2 +-
 src/input/readers/raw/Plugin.cc               |   6 +-
 src/input/readers/raw/Plugin.h                |   2 +-
 src/input/readers/raw/Raw.cc                  |   2 +-
 src/input/readers/sqlite/CMakeLists.txt       |   2 +-
 src/input/readers/sqlite/Plugin.cc            |   4 +-
 src/iosource/pcap/CMakeLists.txt              |   2 +-
 src/iosource/pcap/Plugin.cc                   |   4 +-
 src/logging/writers/ascii/CMakeLists.txt      |   2 +-
 src/logging/writers/ascii/Plugin.cc           |   4 +-
 src/logging/writers/none/CMakeLists.txt       |   2 +-
 src/logging/writers/none/Plugin.cc            |   4 +-
 src/logging/writers/sqlite/CMakeLists.txt     |   2 +-
 src/logging/writers/sqlite/Plugin.cc          |   4 +-
 .../canonified_loaded_scripts.log             | 242 +++---
 .../canonified_loaded_scripts.log             | 242 +++---
 testing/btest/Baseline/plugins.hooks/output   | 740 +++++++++---------
 .../base/frameworks/logging/sqlite/error.zeek |   2 +-
 .../base/frameworks/logging/sqlite/set.zeek   |   2 +-
 .../logging/sqlite/simultaneous-writes.zeek   |   2 +-
 .../base/frameworks/logging/sqlite/types.zeek |   2 +-
 .../frameworks/logging/sqlite/wikipedia.zeek  |   2 +-
 148 files changed, 830 insertions(+), 827 deletions(-)

diff --git a/NEWS b/NEWS
index 6abb21c055..b43f9333c1 100644
--- a/NEWS
+++ b/NEWS
@@ -265,6 +265,9 @@ Changed Functionality
   were parsed separately as some TLS protocol versions specified a
   separate timestamp field as part of the full 32-byte random sequence.
 
+- The namespace used by all the builtin plugins that ship with Zeek have
+  changed to use "Zeek::" instead of "Bro::".
+
 Removed Functionality
 ---------------------
 
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index c0d2da80e3..72c58105ae 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4331,7 +4331,7 @@ export {
 	type RDP::ClientChannelList: vector of ClientChannelDef;
 }
 
-@load base/bif/plugins/Bro_SNMP.types.bif
+@load base/bif/plugins/Zeek_SNMP.types.bif
 
 module SNMP;
 export {
@@ -4453,7 +4453,7 @@ export {
 	};
 }
 
-@load base/bif/plugins/Bro_KRB.types.bif
+@load base/bif/plugins/Zeek_KRB.types.bif
 
 module KRB;
 export {
diff --git a/src/analyzer/protocol/arp/CMakeLists.txt b/src/analyzer/protocol/arp/CMakeLists.txt
index 9f28d80296..0b911b1979 100644
--- a/src/analyzer/protocol/arp/CMakeLists.txt
+++ b/src/analyzer/protocol/arp/CMakeLists.txt
@@ -8,7 +8,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro ARP)
+zeek_plugin_begin(Zeek ARP)
 zeek_plugin_cc(ARP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/arp/Plugin.cc b/src/analyzer/protocol/arp/Plugin.cc
index d0297d5f78..0ba8648b30 100644
--- a/src/analyzer/protocol/arp/Plugin.cc
+++ b/src/analyzer/protocol/arp/Plugin.cc
@@ -4,14 +4,14 @@
 #include "plugin/Plugin.h"
 
 namespace plugin {
-namespace Bro_ARP {
+namespace Zeek_ARP {
 
 class Plugin : public plugin::Plugin {
 public:
 	plugin::Configuration Configure()
 		{
 		plugin::Configuration config;
-		config.name = "Bro::ARP";
+		config.name = "Zeek::ARP";
 		config.description = "ARP Parsing";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
index 6ad6cfcf17..480d0bdfeb 100644
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ b/src/analyzer/protocol/ayiya/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro AYIYA)
+zeek_plugin_begin(Zeek AYIYA)
 zeek_plugin_cc(AYIYA.cc Plugin.cc)
 zeek_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc
index 7b660722e4..2b4b8ee7d9 100644
--- a/src/analyzer/protocol/ayiya/Plugin.cc
+++ b/src/analyzer/protocol/ayiya/Plugin.cc
@@ -6,7 +6,7 @@
 #include "AYIYA.h"
 
 namespace plugin {
-namespace Bro_AYIYA {
+namespace Zeek_AYIYA {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::AYIYA";
+		config.name = "Zeek::AYIYA";
 		config.description = "AYIYA Analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt
index d45396f99d..66511d3d99 100644
--- a/src/analyzer/protocol/backdoor/CMakeLists.txt
+++ b/src/analyzer/protocol/backdoor/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro BackDoor)
+zeek_plugin_begin(Zeek BackDoor)
 zeek_plugin_cc(BackDoor.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc
index 111ba70709..aeec615c50 100644
--- a/src/analyzer/protocol/backdoor/Plugin.cc
+++ b/src/analyzer/protocol/backdoor/Plugin.cc
@@ -6,7 +6,7 @@
 #include "BackDoor.h"
 
 namespace plugin {
-namespace Bro_BackDoor {
+namespace Zeek_BackDoor {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("BackDoor", ::analyzer::backdoor::BackDoor_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BackDoor";
+		config.name = "Zeek::BackDoor";
 		config.description = "Backdoor Analyzer deprecated";
 		return config;
 		}
diff --git a/src/analyzer/protocol/bittorrent/CMakeLists.txt b/src/analyzer/protocol/bittorrent/CMakeLists.txt
index c7c8c82d2b..ca7c9b9e36 100644
--- a/src/analyzer/protocol/bittorrent/CMakeLists.txt
+++ b/src/analyzer/protocol/bittorrent/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro BitTorrent)
+zeek_plugin_begin(Zeek BitTorrent)
 zeek_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
diff --git a/src/analyzer/protocol/bittorrent/Plugin.cc b/src/analyzer/protocol/bittorrent/Plugin.cc
index b663dde25d..14f778ac9f 100644
--- a/src/analyzer/protocol/bittorrent/Plugin.cc
+++ b/src/analyzer/protocol/bittorrent/Plugin.cc
@@ -7,7 +7,7 @@
 #include "BitTorrentTracker.h"
 
 namespace plugin {
-namespace Bro_BitTorrent {
+namespace Zeek_BitTorrent {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -17,7 +17,7 @@ public:
 		AddComponent(new ::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BitTorrent";
+		config.name = "Zeek::BitTorrent";
 		config.description = "BitTorrent Analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/conn-size/CMakeLists.txt b/src/analyzer/protocol/conn-size/CMakeLists.txt
index fb2e7f68da..30b1bedab3 100644
--- a/src/analyzer/protocol/conn-size/CMakeLists.txt
+++ b/src/analyzer/protocol/conn-size/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro ConnSize)
+zeek_plugin_begin(Zeek ConnSize)
 zeek_plugin_cc(ConnSize.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc
index d373ce5d4a..ce1b600da2 100644
--- a/src/analyzer/protocol/conn-size/Plugin.cc
+++ b/src/analyzer/protocol/conn-size/Plugin.cc
@@ -6,7 +6,7 @@
 #include "ConnSize.h"
 
 namespace plugin {
-namespace Bro_ConnSize {
+namespace Zeek_ConnSize {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::ConnSize";
+		config.name = "Zeek::ConnSize";
 		config.description = "Connection size analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/dce-rpc/CMakeLists.txt b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
index db499691d7..286f7fd0b2 100644
--- a/src/analyzer/protocol/dce-rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/dce-rpc/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro DCE_RPC)
+zeek_plugin_begin(Zeek DCE_RPC)
 zeek_plugin_cc(DCE_RPC.cc Plugin.cc)
 zeek_plugin_bif(consts.bif types.bif events.bif)
 zeek_plugin_pac(
diff --git a/src/analyzer/protocol/dce-rpc/Plugin.cc b/src/analyzer/protocol/dce-rpc/Plugin.cc
index c4d250921d..d821cbea2b 100644
--- a/src/analyzer/protocol/dce-rpc/Plugin.cc
+++ b/src/analyzer/protocol/dce-rpc/Plugin.cc
@@ -6,7 +6,7 @@
 #include "DCE_RPC.h"
 
 namespace plugin {
-namespace Bro_DCE_RPC {
+namespace Zeek_DCE_RPC {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DCE_RPC";
+		config.name = "Zeek::DCE_RPC";
 		config.description = "DCE-RPC analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index df79660338..8fa784b4be 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro DHCP)
+zeek_plugin_begin(Zeek DHCP)
 zeek_plugin_cc(DHCP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(types.bif)
diff --git a/src/analyzer/protocol/dhcp/Plugin.cc b/src/analyzer/protocol/dhcp/Plugin.cc
index eecf6f9170..62318604c4 100644
--- a/src/analyzer/protocol/dhcp/Plugin.cc
+++ b/src/analyzer/protocol/dhcp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "DHCP.h"
 
 namespace plugin {
-namespace Bro_DHCP {
+namespace Zeek_DHCP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DHCP";
+		config.name = "Zeek::DHCP";
 		config.description = "DHCP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/dnp3/CMakeLists.txt b/src/analyzer/protocol/dnp3/CMakeLists.txt
index 9134412a57..aaa7581319 100644
--- a/src/analyzer/protocol/dnp3/CMakeLists.txt
+++ b/src/analyzer/protocol/dnp3/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro DNP3)
+zeek_plugin_begin(Zeek DNP3)
 zeek_plugin_cc(DNP3.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
diff --git a/src/analyzer/protocol/dnp3/Plugin.cc b/src/analyzer/protocol/dnp3/Plugin.cc
index 6a64138ce7..8543360b6a 100644
--- a/src/analyzer/protocol/dnp3/Plugin.cc
+++ b/src/analyzer/protocol/dnp3/Plugin.cc
@@ -6,7 +6,7 @@
 #include "DNP3.h"
 
 namespace plugin {
-namespace Bro_DNP3 {
+namespace Zeek_DNP3 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DNP3";
+		config.name = "Zeek::DNP3";
 		config.description = "DNP3 UDP/TCP analyzers";
 		return config;
 		}
diff --git a/src/analyzer/protocol/dns/CMakeLists.txt b/src/analyzer/protocol/dns/CMakeLists.txt
index bb01552bf5..76c3129eba 100644
--- a/src/analyzer/protocol/dns/CMakeLists.txt
+++ b/src/analyzer/protocol/dns/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro DNS)
+zeek_plugin_begin(Zeek DNS)
 zeek_plugin_cc(DNS.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/dns/Plugin.cc b/src/analyzer/protocol/dns/Plugin.cc
index 1cba094c54..3ceef34ea1 100644
--- a/src/analyzer/protocol/dns/Plugin.cc
+++ b/src/analyzer/protocol/dns/Plugin.cc
@@ -6,7 +6,7 @@
 #include "DNS.h"
 
 namespace plugin {
-namespace Bro_DNS {
+namespace Zeek_DNS {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_DNS", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::DNS";
+		config.name = "Zeek::DNS";
 		config.description = "DNS analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/file/CMakeLists.txt b/src/analyzer/protocol/file/CMakeLists.txt
index 0746f8d785..5c11356991 100644
--- a/src/analyzer/protocol/file/CMakeLists.txt
+++ b/src/analyzer/protocol/file/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro File)
+zeek_plugin_begin(Zeek File)
 zeek_plugin_cc(File.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/file/Plugin.cc b/src/analyzer/protocol/file/Plugin.cc
index 499736ebd8..36586fb6a9 100644
--- a/src/analyzer/protocol/file/Plugin.cc
+++ b/src/analyzer/protocol/file/Plugin.cc
@@ -6,7 +6,7 @@
 #include "./File.h"
 
 namespace plugin {
-namespace Bro_File {
+namespace Zeek_File {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::File";
+		config.name = "Zeek::File";
 		config.description = "Generic file analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/finger/CMakeLists.txt b/src/analyzer/protocol/finger/CMakeLists.txt
index 095b3e81ec..e89f268a8a 100644
--- a/src/analyzer/protocol/finger/CMakeLists.txt
+++ b/src/analyzer/protocol/finger/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Finger)
+zeek_plugin_begin(Zeek Finger)
 zeek_plugin_cc(Finger.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/finger/Plugin.cc b/src/analyzer/protocol/finger/Plugin.cc
index 7dbaaf702d..b6fafd3b4c 100644
--- a/src/analyzer/protocol/finger/Plugin.cc
+++ b/src/analyzer/protocol/finger/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Finger.h"
 
 namespace plugin {
-namespace Bro_Finger {
+namespace Zeek_Finger {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Finger";
+		config.name = "Zeek::Finger";
 		config.description = "Finger analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ftp/CMakeLists.txt b/src/analyzer/protocol/ftp/CMakeLists.txt
index f55edec611..ff6d372295 100644
--- a/src/analyzer/protocol/ftp/CMakeLists.txt
+++ b/src/analyzer/protocol/ftp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro FTP)
+zeek_plugin_begin(Zeek FTP)
 zeek_plugin_cc(FTP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/ftp/Plugin.cc b/src/analyzer/protocol/ftp/Plugin.cc
index 80e5bf4381..ae70d2f705 100644
--- a/src/analyzer/protocol/ftp/Plugin.cc
+++ b/src/analyzer/protocol/ftp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "FTP.h"
 
 namespace plugin {
-namespace Bro_FTP {
+namespace Zeek_FTP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("FTP_ADAT", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::FTP";
+		config.name = "Zeek::FTP";
 		config.description = "FTP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/gnutella/CMakeLists.txt b/src/analyzer/protocol/gnutella/CMakeLists.txt
index 254fd667ff..d463ac6af7 100644
--- a/src/analyzer/protocol/gnutella/CMakeLists.txt
+++ b/src/analyzer/protocol/gnutella/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Gnutella)
+zeek_plugin_begin(Zeek Gnutella)
 zeek_plugin_cc(Gnutella.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/gnutella/Plugin.cc b/src/analyzer/protocol/gnutella/Plugin.cc
index afd0ff491e..b6a560ec58 100644
--- a/src/analyzer/protocol/gnutella/Plugin.cc
+++ b/src/analyzer/protocol/gnutella/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Gnutella.h"
 
 namespace plugin {
-namespace Bro_Gnutella {
+namespace Zeek_Gnutella {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("Gnutella", ::analyzer::gnutella::Gnutella_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Gnutella";
+		config.name = "Zeek::Gnutella";
 		config.description = "Gnutella analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index 0ed07e2263..74ae705313 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro GSSAPI)
+zeek_plugin_begin(Zeek GSSAPI)
 zeek_plugin_cc(GSSAPI.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(
diff --git a/src/analyzer/protocol/gssapi/Plugin.cc b/src/analyzer/protocol/gssapi/Plugin.cc
index 3765d9b79d..c0cd7fe11c 100644
--- a/src/analyzer/protocol/gssapi/Plugin.cc
+++ b/src/analyzer/protocol/gssapi/Plugin.cc
@@ -5,7 +5,7 @@
 #include "GSSAPI.h"
 
 namespace plugin {
-namespace Bro_GSSAPI {
+namespace Zeek_GSSAPI {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("GSSAPI", ::analyzer::gssapi::GSSAPI_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::GSSAPI";
+		config.name = "Zeek::GSSAPI";
 		config.description = "GSSAPI analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt
index 0c2f243eda..61856cf1f1 100644
--- a/src/analyzer/protocol/gtpv1/CMakeLists.txt
+++ b/src/analyzer/protocol/gtpv1/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro GTPv1)
+zeek_plugin_begin(Zeek GTPv1)
 zeek_plugin_cc(GTPv1.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc
index 846c78d18f..4b7929a747 100644
--- a/src/analyzer/protocol/gtpv1/Plugin.cc
+++ b/src/analyzer/protocol/gtpv1/Plugin.cc
@@ -6,7 +6,7 @@
 #include "GTPv1.h"
 
 namespace plugin {
-namespace Bro_GTPv1 {
+namespace Zeek_GTPv1 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("GTPv1", ::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::GTPv1";
+		config.name = "Zeek::GTPv1";
 		config.description = "GTPv1 analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/http/CMakeLists.txt b/src/analyzer/protocol/http/CMakeLists.txt
index 555252b2d6..1b173e6949 100644
--- a/src/analyzer/protocol/http/CMakeLists.txt
+++ b/src/analyzer/protocol/http/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro HTTP)
+zeek_plugin_begin(Zeek HTTP)
 zeek_plugin_cc(HTTP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/http/Plugin.cc b/src/analyzer/protocol/http/Plugin.cc
index f88866f66f..f2b7402415 100644
--- a/src/analyzer/protocol/http/Plugin.cc
+++ b/src/analyzer/protocol/http/Plugin.cc
@@ -6,7 +6,7 @@
 #include "HTTP.h"
 
 namespace plugin {
-namespace Bro_HTTP {
+namespace Zeek_HTTP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("HTTP", ::analyzer::http::HTTP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::HTTP";
+		config.name = "Zeek::HTTP";
 		config.description = "HTTP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/icmp/CMakeLists.txt b/src/analyzer/protocol/icmp/CMakeLists.txt
index 0dfcea50ef..875b3597ec 100644
--- a/src/analyzer/protocol/icmp/CMakeLists.txt
+++ b/src/analyzer/protocol/icmp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro ICMP)
+zeek_plugin_begin(Zeek ICMP)
 zeek_plugin_cc(ICMP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/icmp/Plugin.cc b/src/analyzer/protocol/icmp/Plugin.cc
index f216bcbbe9..390eb751d1 100644
--- a/src/analyzer/protocol/icmp/Plugin.cc
+++ b/src/analyzer/protocol/icmp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "ICMP.h"
 
 namespace plugin {
-namespace Bro_ICMP {
+namespace Zeek_ICMP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("ICMP", ::analyzer::icmp::ICMP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::ICMP";
+		config.name = "Zeek::ICMP";
 		config.description = "ICMP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ident/CMakeLists.txt b/src/analyzer/protocol/ident/CMakeLists.txt
index eed123d31c..22ac6e94a1 100644
--- a/src/analyzer/protocol/ident/CMakeLists.txt
+++ b/src/analyzer/protocol/ident/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Ident)
+zeek_plugin_begin(Zeek Ident)
 zeek_plugin_cc(Ident.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/ident/Plugin.cc b/src/analyzer/protocol/ident/Plugin.cc
index e495210f08..23a798a72f 100644
--- a/src/analyzer/protocol/ident/Plugin.cc
+++ b/src/analyzer/protocol/ident/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Ident.h"
 
 namespace plugin {
-namespace Bro_Ident {
+namespace Zeek_Ident {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("Ident", ::analyzer::ident::Ident_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Ident";
+		config.name = "Zeek::Ident";
 		config.description = "Ident analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
index 0a84b0ce09..472b465b71 100644
--- a/src/analyzer/protocol/imap/CMakeLists.txt
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro IMAP)
+zeek_plugin_begin(Zeek IMAP)
 zeek_plugin_cc(Plugin.cc)
 zeek_plugin_cc(IMAP.cc)
 zeek_plugin_bif(events.bif)
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
index 63358f1aeb..3192ea8f28 100644
--- a/src/analyzer/protocol/imap/Plugin.cc
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -3,7 +3,7 @@
 #include "IMAP.h"
 
 namespace plugin {
-namespace Bro_IMAP {
+namespace Zeek_IMAP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -12,7 +12,7 @@ public:
 		AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::IMAP";
+		config.name = "Zeek::IMAP";
 		config.description = "IMAP analyzer (StartTLS only)";
 		return config;
 		}
diff --git a/src/analyzer/protocol/interconn/CMakeLists.txt b/src/analyzer/protocol/interconn/CMakeLists.txt
index 0a00a441f1..c1cf40da3f 100644
--- a/src/analyzer/protocol/interconn/CMakeLists.txt
+++ b/src/analyzer/protocol/interconn/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro InterConn)
+zeek_plugin_begin(Zeek InterConn)
 zeek_plugin_cc(InterConn.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/interconn/Plugin.cc b/src/analyzer/protocol/interconn/Plugin.cc
index a4ee39ca07..bbd1b866ed 100644
--- a/src/analyzer/protocol/interconn/Plugin.cc
+++ b/src/analyzer/protocol/interconn/Plugin.cc
@@ -6,7 +6,7 @@
 #include "InterConn.h"
 
 namespace plugin {
-namespace Bro_InterConn {
+namespace Zeek_InterConn {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("InterConn", ::analyzer::interconn::InterConn_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::InterConn";
+		config.name = "Zeek::InterConn";
 		config.description = "InterConn analyzer deprecated";
 		return config;
 		}
diff --git a/src/analyzer/protocol/irc/CMakeLists.txt b/src/analyzer/protocol/irc/CMakeLists.txt
index 50e4dcb90d..4538172d75 100644
--- a/src/analyzer/protocol/irc/CMakeLists.txt
+++ b/src/analyzer/protocol/irc/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro IRC)
+zeek_plugin_begin(Zeek IRC)
 zeek_plugin_cc(IRC.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/irc/Plugin.cc b/src/analyzer/protocol/irc/Plugin.cc
index 54769ba0b0..fc63baad12 100644
--- a/src/analyzer/protocol/irc/Plugin.cc
+++ b/src/analyzer/protocol/irc/Plugin.cc
@@ -6,7 +6,7 @@
 #include "IRC.h"
 
 namespace plugin {
-namespace Bro_IRC {
+namespace Zeek_IRC {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("IRC", ::analyzer::irc::IRC_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::IRC";
+		config.name = "Zeek::IRC";
 		config.description = "IRC analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt
index bf82ca0b64..d052e9bb6c 100644
--- a/src/analyzer/protocol/krb/CMakeLists.txt
+++ b/src/analyzer/protocol/krb/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro KRB)
+zeek_plugin_begin(Zeek KRB)
 zeek_plugin_cc(Plugin.cc)
 zeek_plugin_cc(KRB.cc)
 zeek_plugin_cc(KRB_TCP.cc)
diff --git a/src/analyzer/protocol/krb/Plugin.cc b/src/analyzer/protocol/krb/Plugin.cc
index ffbefb5b1c..707498f729 100644
--- a/src/analyzer/protocol/krb/Plugin.cc
+++ b/src/analyzer/protocol/krb/Plugin.cc
@@ -5,7 +5,7 @@
 #include "KRB_TCP.h"
 
 namespace plugin {
-	namespace Bro_KRB {
+	namespace Zeek_KRB {
 		class Plugin : public plugin::Plugin {
 		public:
 			plugin::Configuration Configure()
@@ -13,7 +13,7 @@ namespace plugin {
 				AddComponent(new ::analyzer::Component("KRB", ::analyzer::krb::KRB_Analyzer::Instantiate));
 				AddComponent(new ::analyzer::Component("KRB_TCP", ::analyzer::krb_tcp::KRB_Analyzer::Instantiate));
 				plugin::Configuration config;
-				config.name = "Bro::KRB";
+				config.name = "Zeek::KRB";
 				config.description = "Kerberos analyzer";
 				return config;
 				}
diff --git a/src/analyzer/protocol/login/CMakeLists.txt b/src/analyzer/protocol/login/CMakeLists.txt
index 98eecb7300..cb8217aaeb 100644
--- a/src/analyzer/protocol/login/CMakeLists.txt
+++ b/src/analyzer/protocol/login/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Login)
+zeek_plugin_begin(Zeek Login)
 zeek_plugin_cc(Login.cc RSH.cc Telnet.cc Rlogin.cc NVT.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/login/Plugin.cc b/src/analyzer/protocol/login/Plugin.cc
index 3e4a83ceae..182c070592 100644
--- a/src/analyzer/protocol/login/Plugin.cc
+++ b/src/analyzer/protocol/login/Plugin.cc
@@ -9,7 +9,7 @@
 #include "Rlogin.h"
 
 namespace plugin {
-namespace Bro_Login {
+namespace Zeek_Login {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -24,7 +24,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_Rlogin", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::Login";
+		config.name = "Zeek::Login";
 		config.description = "Telnet/Rsh/Rlogin analyzers";
 		return config;
 		}
diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt
index 571ac2de9f..6275297dc9 100644
--- a/src/analyzer/protocol/mime/CMakeLists.txt
+++ b/src/analyzer/protocol/mime/CMakeLists.txt
@@ -8,7 +8,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro MIME)
+zeek_plugin_begin(Zeek MIME)
 zeek_plugin_cc(MIME.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/mime/Plugin.cc b/src/analyzer/protocol/mime/Plugin.cc
index f7a1c22f3e..6cff9f0a5a 100644
--- a/src/analyzer/protocol/mime/Plugin.cc
+++ b/src/analyzer/protocol/mime/Plugin.cc
@@ -4,14 +4,14 @@
 #include "plugin/Plugin.h"
 
 namespace plugin {
-namespace Bro_MIME {
+namespace Zeek_MIME {
 
 class Plugin : public plugin::Plugin {
 public:
 	plugin::Configuration Configure()
 		{
 		plugin::Configuration config;
-		config.name = "Bro::MIME";
+		config.name = "Zeek::MIME";
 		config.description = "MIME parsing";
 		return config;
 		}
diff --git a/src/analyzer/protocol/modbus/CMakeLists.txt b/src/analyzer/protocol/modbus/CMakeLists.txt
index 210609f504..2560f18a60 100644
--- a/src/analyzer/protocol/modbus/CMakeLists.txt
+++ b/src/analyzer/protocol/modbus/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Modbus)
+zeek_plugin_begin(Zeek Modbus)
 zeek_plugin_cc(Modbus.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(modbus.pac modbus-analyzer.pac modbus-protocol.pac)
diff --git a/src/analyzer/protocol/modbus/Plugin.cc b/src/analyzer/protocol/modbus/Plugin.cc
index 8a01878113..68b78fcbe7 100644
--- a/src/analyzer/protocol/modbus/Plugin.cc
+++ b/src/analyzer/protocol/modbus/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Modbus.h"
 
 namespace plugin {
-namespace Bro_Modbus {
+namespace Zeek_Modbus {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("MODBUS", ::analyzer::modbus::ModbusTCP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Modbus";
+		config.name = "Zeek::Modbus";
 		config.description = "Modbus analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/mysql/CMakeLists.txt b/src/analyzer/protocol/mysql/CMakeLists.txt
index 01dbefdd3f..3ac448c665 100644
--- a/src/analyzer/protocol/mysql/CMakeLists.txt
+++ b/src/analyzer/protocol/mysql/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro MySQL)
+zeek_plugin_begin(Zeek MySQL)
 	zeek_plugin_cc(MySQL.cc Plugin.cc)
 	zeek_plugin_bif(events.bif)
 	zeek_plugin_pac(mysql.pac mysql-analyzer.pac mysql-protocol.pac)
diff --git a/src/analyzer/protocol/mysql/Plugin.cc b/src/analyzer/protocol/mysql/Plugin.cc
index 48bfd04a97..0f484e29ce 100644
--- a/src/analyzer/protocol/mysql/Plugin.cc
+++ b/src/analyzer/protocol/mysql/Plugin.cc
@@ -5,14 +5,14 @@
 #include "MySQL.h"
 
 namespace plugin {
-	namespace Bro_MySQL {
+	namespace Zeek_MySQL {
 		class Plugin : public plugin::Plugin {
 		public:
 			plugin::Configuration Configure()
 				{
 				AddComponent(new ::analyzer::Component("MySQL", ::analyzer::MySQL::MySQL_Analyzer::Instantiate));
 				plugin::Configuration config;
-				config.name = "Bro::MySQL";
+				config.name = "Zeek::MySQL";
 				config.description = "MySQL analyzer";
 				return config;
 				}
diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt
index 0257c5aba6..62b198553b 100644
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro NCP)
+zeek_plugin_begin(Zeek NCP)
 zeek_plugin_cc(NCP.cc Plugin.cc)
 zeek_plugin_bif(events.bif consts.bif)
 zeek_plugin_pac(ncp.pac)
diff --git a/src/analyzer/protocol/ncp/Plugin.cc b/src/analyzer/protocol/ncp/Plugin.cc
index fe1de9a250..9ea75a4674 100644
--- a/src/analyzer/protocol/ncp/Plugin.cc
+++ b/src/analyzer/protocol/ncp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "NCP.h"
 
 namespace plugin {
-namespace Bro_NCP {
+namespace Zeek_NCP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_NCP", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::NCP";
+		config.name = "Zeek::NCP";
 		config.description = "NCP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/netbios/CMakeLists.txt b/src/analyzer/protocol/netbios/CMakeLists.txt
index 3f4e53ac66..4ae22a6f42 100644
--- a/src/analyzer/protocol/netbios/CMakeLists.txt
+++ b/src/analyzer/protocol/netbios/CMakeLists.txt
@@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
 include_directories(AFTER ${CMAKE_CURRENT_BINARY_DIR}/../smb)
 
-zeek_plugin_begin(Bro NetBIOS)
+zeek_plugin_begin(Zeek NetBIOS)
 zeek_plugin_cc(NetbiosSSN.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/netbios/Plugin.cc b/src/analyzer/protocol/netbios/Plugin.cc
index 0ec730889d..7f49cdfb09 100644
--- a/src/analyzer/protocol/netbios/Plugin.cc
+++ b/src/analyzer/protocol/netbios/Plugin.cc
@@ -6,7 +6,7 @@
 #include "NetbiosSSN.h"
 
 namespace plugin {
-namespace Bro_NetBIOS {
+namespace Zeek_NetBIOS {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_NetbiosSSN", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::NetBIOS";
+		config.name = "Zeek::NetBIOS";
 		config.description = "NetBIOS analyzer support";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ntlm/CMakeLists.txt b/src/analyzer/protocol/ntlm/CMakeLists.txt
index e7adf7470c..e2e627f36b 100644
--- a/src/analyzer/protocol/ntlm/CMakeLists.txt
+++ b/src/analyzer/protocol/ntlm/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro NTLM)
+zeek_plugin_begin(Zeek NTLM)
 zeek_plugin_cc(NTLM.cc Plugin.cc)
 zeek_plugin_bif(types.bif events.bif)
 zeek_plugin_pac(
diff --git a/src/analyzer/protocol/ntlm/Plugin.cc b/src/analyzer/protocol/ntlm/Plugin.cc
index a9450537b5..e85b0cff17 100644
--- a/src/analyzer/protocol/ntlm/Plugin.cc
+++ b/src/analyzer/protocol/ntlm/Plugin.cc
@@ -5,7 +5,7 @@
 #include "NTLM.h"
 
 namespace plugin {
-namespace Bro_NTLM {
+namespace Zeek_NTLM {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("NTLM", ::analyzer::ntlm::NTLM_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::NTLM";
+		config.name = "Zeek::NTLM";
 		config.description = "NTLM analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ntp/CMakeLists.txt b/src/analyzer/protocol/ntp/CMakeLists.txt
index d541755904..8395031a32 100644
--- a/src/analyzer/protocol/ntp/CMakeLists.txt
+++ b/src/analyzer/protocol/ntp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro NTP)
+zeek_plugin_begin(Zeek NTP)
 zeek_plugin_cc(NTP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/ntp/Plugin.cc b/src/analyzer/protocol/ntp/Plugin.cc
index 3399fbb867..bd426d5fc1 100644
--- a/src/analyzer/protocol/ntp/Plugin.cc
+++ b/src/analyzer/protocol/ntp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "NTP.h"
 
 namespace plugin {
-namespace Bro_NTP {
+namespace Zeek_NTP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("NTP", ::analyzer::ntp::NTP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::NTP";
+		config.name = "Zeek::NTP";
 		config.description = "NTP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index d00030f20a..b2bcf0c70c 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -3,6 +3,6 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro PIA)
+zeek_plugin_begin(Zeek PIA)
 zeek_plugin_cc(PIA.cc Plugin.cc)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/pia/Plugin.cc b/src/analyzer/protocol/pia/Plugin.cc
index 983617be66..c46e710f9d 100644
--- a/src/analyzer/protocol/pia/Plugin.cc
+++ b/src/analyzer/protocol/pia/Plugin.cc
@@ -6,7 +6,7 @@
 #include "PIA.h"
 
 namespace plugin {
-namespace Bro_PIA {
+namespace Zeek_PIA {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("PIA_UDP", ::analyzer::pia::PIA_UDP::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::PIA";
+		config.name = "Zeek::PIA";
 		config.description = "Analyzers implementing Dynamic Protocol";
 		return config;
 		}
diff --git a/src/analyzer/protocol/pop3/CMakeLists.txt b/src/analyzer/protocol/pop3/CMakeLists.txt
index 2c17c3472b..dcca381140 100644
--- a/src/analyzer/protocol/pop3/CMakeLists.txt
+++ b/src/analyzer/protocol/pop3/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro POP3)
+zeek_plugin_begin(Zeek POP3)
 zeek_plugin_cc(POP3.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/pop3/Plugin.cc b/src/analyzer/protocol/pop3/Plugin.cc
index f6a97b824e..0fed697e83 100644
--- a/src/analyzer/protocol/pop3/Plugin.cc
+++ b/src/analyzer/protocol/pop3/Plugin.cc
@@ -6,7 +6,7 @@
 #include "POP3.h"
 
 namespace plugin {
-namespace Bro_POP3 {
+namespace Zeek_POP3 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("POP3", ::analyzer::pop3::POP3_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::POP3";
+		config.name = "Zeek::POP3";
 		config.description = "POP3 analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/radius/CMakeLists.txt b/src/analyzer/protocol/radius/CMakeLists.txt
index 14fdcda418..3e5477be9e 100644
--- a/src/analyzer/protocol/radius/CMakeLists.txt
+++ b/src/analyzer/protocol/radius/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro RADIUS)
+zeek_plugin_begin(Zeek RADIUS)
 zeek_plugin_cc(RADIUS.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(radius.pac radius-analyzer.pac radius-protocol.pac)
diff --git a/src/analyzer/protocol/radius/Plugin.cc b/src/analyzer/protocol/radius/Plugin.cc
index c2729289ef..8b6efe15b8 100644
--- a/src/analyzer/protocol/radius/Plugin.cc
+++ b/src/analyzer/protocol/radius/Plugin.cc
@@ -6,7 +6,7 @@
 #include "RADIUS.h"
 
 namespace plugin {
-namespace Bro_RADIUS {
+namespace Zeek_RADIUS {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("RADIUS", ::analyzer::RADIUS::RADIUS_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::RADIUS";
+		config.name = "Zeek::RADIUS";
 		config.description = "RADIUS analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/rdp/CMakeLists.txt b/src/analyzer/protocol/rdp/CMakeLists.txt
index 8e0e821f5a..67ad09c18c 100644
--- a/src/analyzer/protocol/rdp/CMakeLists.txt
+++ b/src/analyzer/protocol/rdp/CMakeLists.txt
@@ -2,7 +2,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro RDP)
+zeek_plugin_begin(Zeek RDP)
 	zeek_plugin_cc(RDP.cc Plugin.cc)
 	zeek_plugin_bif(events.bif)
 	zeek_plugin_bif(types.bif)
diff --git a/src/analyzer/protocol/rdp/Plugin.cc b/src/analyzer/protocol/rdp/Plugin.cc
index 770bdfc730..169c7501d6 100644
--- a/src/analyzer/protocol/rdp/Plugin.cc
+++ b/src/analyzer/protocol/rdp/Plugin.cc
@@ -3,7 +3,7 @@
 #include "RDP.h"
 
 namespace plugin {
-namespace Bro_RDP {
+namespace Zeek_RDP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -12,7 +12,7 @@ public:
                 AddComponent(new ::analyzer::Component("RDP", ::analyzer::rdp::RDP_Analyzer::InstantiateAnalyzer));
 
                 plugin::Configuration config;
-                config.name = "Bro::RDP";
+                config.name = "Zeek::RDP";
                 config.description = "RDP analyzer";
                 return config;
                 }
diff --git a/src/analyzer/protocol/rfb/CMakeLists.txt b/src/analyzer/protocol/rfb/CMakeLists.txt
index 72b4bc240e..10c8b2de12 100644
--- a/src/analyzer/protocol/rfb/CMakeLists.txt
+++ b/src/analyzer/protocol/rfb/CMakeLists.txt
@@ -2,7 +2,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro RFB)
+zeek_plugin_begin(Zeek RFB)
 	zeek_plugin_cc(RFB.cc Plugin.cc)
 	zeek_plugin_bif(events.bif)
 	zeek_plugin_pac(rfb.pac rfb-analyzer.pac rfb-protocol.pac)
diff --git a/src/analyzer/protocol/rfb/Plugin.cc b/src/analyzer/protocol/rfb/Plugin.cc
index b3bed0f093..8cf53bb007 100644
--- a/src/analyzer/protocol/rfb/Plugin.cc
+++ b/src/analyzer/protocol/rfb/Plugin.cc
@@ -3,7 +3,7 @@
 #include "RFB.h"
 
 namespace plugin {
-namespace Bro_RFB {
+namespace Zeek_RFB {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -13,11 +13,11 @@ public:
 		             ::analyzer::rfb::RFB_Analyzer::InstantiateAnalyzer));
 
 		plugin::Configuration config;
-		config.name = "Bro::RFB";
+		config.name = "Zeek::RFB";
 		config.description = "Parser for rfb (VNC) analyzer";
 		return config;
 		}
 } plugin;
 
 }
-}
\ No newline at end of file
+}
diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt
index 82168bb364..f1da2c9692 100644
--- a/src/analyzer/protocol/rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/rpc/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro RPC)
+zeek_plugin_begin(Zeek RPC)
 zeek_plugin_cc(RPC.cc NFS.cc MOUNT.cc Portmap.cc XDR.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc
index abc2f679f2..2fff0ff6cf 100644
--- a/src/analyzer/protocol/rpc/Plugin.cc
+++ b/src/analyzer/protocol/rpc/Plugin.cc
@@ -9,7 +9,7 @@
 #include "Portmap.h"
 
 namespace plugin {
-namespace Bro_RPC {
+namespace Zeek_RPC {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -22,7 +22,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_NFS", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::RPC";
+		config.name = "Zeek::RPC";
 		config.description = "Analyzers for RPC-based protocols";
 		return config;
 		}
diff --git a/src/analyzer/protocol/sip/CMakeLists.txt b/src/analyzer/protocol/sip/CMakeLists.txt
index d9e2871063..e0ae9d2b90 100644
--- a/src/analyzer/protocol/sip/CMakeLists.txt
+++ b/src/analyzer/protocol/sip/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SIP)
+zeek_plugin_begin(Zeek SIP)
 zeek_plugin_cc(Plugin.cc)
 zeek_plugin_cc(SIP.cc)
 zeek_plugin_cc(SIP_TCP.cc)
diff --git a/src/analyzer/protocol/sip/Plugin.cc b/src/analyzer/protocol/sip/Plugin.cc
index cb8d49ddb6..23ddebc12c 100644
--- a/src/analyzer/protocol/sip/Plugin.cc
+++ b/src/analyzer/protocol/sip/Plugin.cc
@@ -7,7 +7,7 @@
 #include "SIP_TCP.h"
 
 namespace plugin {
-namespace Bro_SIP {
+namespace Zeek_SIP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -19,7 +19,7 @@ public:
 		// AddComponent(new ::analyzer::Component("SIP_TCP", ::analyzer::sip_tcp::SIP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SIP";
+		config.name = "Zeek::SIP";
 		config.description = "SIP analyzer UDP-only";
 		return config;
 		}
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index 04e6720b57..5fbbe190d0 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 include_directories(AFTER  ${CMAKE_CURRENT_BINARY_DIR}/../dce-rpc)
 
-zeek_plugin_begin(Bro SMB)
+zeek_plugin_begin(Zeek SMB)
 zeek_plugin_cc(SMB.cc Plugin.cc)
 zeek_plugin_bif(
 	smb1_com_check_directory.bif
diff --git a/src/analyzer/protocol/smb/Plugin.cc b/src/analyzer/protocol/smb/Plugin.cc
index 7af28aa671..788333bb7c 100644
--- a/src/analyzer/protocol/smb/Plugin.cc
+++ b/src/analyzer/protocol/smb/Plugin.cc
@@ -5,7 +5,7 @@
 #include "SMB.h"
 
 namespace plugin {
-namespace Bro_SMB {
+namespace Zeek_SMB {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_SMB", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::SMB";
+		config.name = "Zeek::SMB";
 		config.description = "SMB analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/smtp/CMakeLists.txt b/src/analyzer/protocol/smtp/CMakeLists.txt
index f338ebc4c7..3ffebc66a8 100644
--- a/src/analyzer/protocol/smtp/CMakeLists.txt
+++ b/src/analyzer/protocol/smtp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SMTP)
+zeek_plugin_begin(Zeek SMTP)
 zeek_plugin_cc(SMTP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/smtp/Plugin.cc b/src/analyzer/protocol/smtp/Plugin.cc
index ae0ef0e71a..784da4d860 100644
--- a/src/analyzer/protocol/smtp/Plugin.cc
+++ b/src/analyzer/protocol/smtp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "SMTP.h"
 
 namespace plugin {
-namespace Bro_SMTP {
+namespace Zeek_SMTP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("SMTP", ::analyzer::smtp::SMTP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SMTP";
+		config.name = "Zeek::SMTP";
 		config.description = "SMTP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/snmp/CMakeLists.txt b/src/analyzer/protocol/snmp/CMakeLists.txt
index 66c096bc03..988949bbad 100644
--- a/src/analyzer/protocol/snmp/CMakeLists.txt
+++ b/src/analyzer/protocol/snmp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SNMP)
+zeek_plugin_begin(Zeek SNMP)
 zeek_plugin_cc(SNMP.cc Plugin.cc)
 zeek_plugin_bif(types.bif)
 zeek_plugin_bif(events.bif)
diff --git a/src/analyzer/protocol/snmp/Plugin.cc b/src/analyzer/protocol/snmp/Plugin.cc
index 30f690ec96..d5c6e98309 100644
--- a/src/analyzer/protocol/snmp/Plugin.cc
+++ b/src/analyzer/protocol/snmp/Plugin.cc
@@ -5,7 +5,7 @@
 #include "SNMP.h"
 
 namespace plugin {
-namespace Bro_SNMP {
+namespace Zeek_SNMP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("SNMP", ::analyzer::snmp::SNMP_Analyzer::InstantiateAnalyzer));
 
 		plugin::Configuration config;
-		config.name = "Bro::SNMP";
+		config.name = "Zeek::SNMP";
 		config.description = "SNMP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/socks/CMakeLists.txt b/src/analyzer/protocol/socks/CMakeLists.txt
index 3fbc88b83a..93e111814a 100644
--- a/src/analyzer/protocol/socks/CMakeLists.txt
+++ b/src/analyzer/protocol/socks/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SOCKS)
+zeek_plugin_begin(Zeek SOCKS)
 zeek_plugin_cc(SOCKS.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(socks.pac socks-protocol.pac socks-analyzer.pac)
diff --git a/src/analyzer/protocol/socks/Plugin.cc b/src/analyzer/protocol/socks/Plugin.cc
index 661e39efbc..8efbeeb23e 100644
--- a/src/analyzer/protocol/socks/Plugin.cc
+++ b/src/analyzer/protocol/socks/Plugin.cc
@@ -6,7 +6,7 @@
 #include "SOCKS.h"
 
 namespace plugin {
-namespace Bro_SOCKS {
+namespace Zeek_SOCKS {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("SOCKS", ::analyzer::socks::SOCKS_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SOCKS";
+		config.name = "Zeek::SOCKS";
 		config.description = "SOCKS analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/ssh/CMakeLists.txt b/src/analyzer/protocol/ssh/CMakeLists.txt
index 66fe3eb1a4..a7cb99b353 100644
--- a/src/analyzer/protocol/ssh/CMakeLists.txt
+++ b/src/analyzer/protocol/ssh/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SSH)
+zeek_plugin_begin(Zeek SSH)
 	zeek_plugin_cc(SSH.cc Plugin.cc)
 	zeek_plugin_bif(types.bif)
 	zeek_plugin_bif(events.bif)
diff --git a/src/analyzer/protocol/ssh/Plugin.cc b/src/analyzer/protocol/ssh/Plugin.cc
index be5d2f428b..7b6ac67c88 100644
--- a/src/analyzer/protocol/ssh/Plugin.cc
+++ b/src/analyzer/protocol/ssh/Plugin.cc
@@ -4,7 +4,7 @@
 #include "SSH.h"
 
 namespace plugin {
-	namespace Bro_SSH {
+	namespace Zeek_SSH {
 
 		class Plugin : public plugin::Plugin {
 		public:
@@ -13,7 +13,7 @@ namespace plugin {
 				AddComponent(new ::analyzer::Component("SSH", ::analyzer::SSH::SSH_Analyzer::Instantiate));
 
 				plugin::Configuration config;
-				config.name = "Bro::SSH";
+				config.name = "Zeek::SSH";
 				config.description = "Secure Shell analyzer";
 				return config;
 				}
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 52b75f1336..47093a978e 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SSL)
+zeek_plugin_begin(Zeek SSL)
 zeek_plugin_cc(SSL.cc DTLS.cc Plugin.cc)
 zeek_plugin_bif(types.bif)
 zeek_plugin_bif(events.bif)
diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc
index 85b65aedfd..60d6b0d4a3 100644
--- a/src/analyzer/protocol/ssl/Plugin.cc
+++ b/src/analyzer/protocol/ssl/Plugin.cc
@@ -7,7 +7,7 @@
 #include "DTLS.h"
 
 namespace plugin {
-namespace Bro_SSL {
+namespace Zeek_SSL {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -17,7 +17,7 @@ public:
 		AddComponent(new ::analyzer::Component("DTLS", ::analyzer::dtls::DTLS_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SSL";
+		config.name = "Zeek::SSL";
 		config.description = "SSL/TLS and DTLS analyzers";
 		return config;
 		}
diff --git a/src/analyzer/protocol/stepping-stone/CMakeLists.txt b/src/analyzer/protocol/stepping-stone/CMakeLists.txt
index 91888ac5cb..8975da49f9 100644
--- a/src/analyzer/protocol/stepping-stone/CMakeLists.txt
+++ b/src/analyzer/protocol/stepping-stone/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SteppingStone)
+zeek_plugin_begin(Zeek SteppingStone)
 zeek_plugin_cc(SteppingStone.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/stepping-stone/Plugin.cc b/src/analyzer/protocol/stepping-stone/Plugin.cc
index f3566eb551..5d76fa7d74 100644
--- a/src/analyzer/protocol/stepping-stone/Plugin.cc
+++ b/src/analyzer/protocol/stepping-stone/Plugin.cc
@@ -6,7 +6,7 @@
 #include "SteppingStone.h"
 
 namespace plugin {
-namespace Bro_SteppingStone {
+namespace Zeek_SteppingStone {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("SteppingStone", ::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SteppingStone";
+		config.name = "Zeek::SteppingStone";
 		config.description = "Stepping stone analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/syslog/CMakeLists.txt b/src/analyzer/protocol/syslog/CMakeLists.txt
index 81f58c86c3..5e1fca87ad 100644
--- a/src/analyzer/protocol/syslog/CMakeLists.txt
+++ b/src/analyzer/protocol/syslog/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Syslog)
+zeek_plugin_begin(Zeek Syslog)
 zeek_plugin_cc(Syslog.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
diff --git a/src/analyzer/protocol/syslog/Plugin.cc b/src/analyzer/protocol/syslog/Plugin.cc
index c2478bdeb0..e4d5f38fa1 100644
--- a/src/analyzer/protocol/syslog/Plugin.cc
+++ b/src/analyzer/protocol/syslog/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Syslog.h"
 
 namespace plugin {
-namespace Bro_Syslog {
+namespace Zeek_Syslog {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("Syslog", ::analyzer::syslog::Syslog_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Syslog";
+		config.name = "Zeek::Syslog";
 		config.description = "Syslog analyzer UDP-only";
 		return config;
 		}
diff --git a/src/analyzer/protocol/tcp/CMakeLists.txt b/src/analyzer/protocol/tcp/CMakeLists.txt
index af91902f51..c00f3e5379 100644
--- a/src/analyzer/protocol/tcp/CMakeLists.txt
+++ b/src/analyzer/protocol/tcp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro TCP)
+zeek_plugin_begin(Zeek TCP)
 zeek_plugin_cc(TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc ContentLine.cc Stats.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/analyzer/protocol/tcp/Plugin.cc b/src/analyzer/protocol/tcp/Plugin.cc
index b258135b37..3a99b2036a 100644
--- a/src/analyzer/protocol/tcp/Plugin.cc
+++ b/src/analyzer/protocol/tcp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "TCP.h"
 
 namespace plugin {
-namespace Bro_TCP {
+namespace Zeek_TCP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -18,7 +18,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::TCP";
+		config.name = "Zeek::TCP";
 		config.description = "TCP analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt
index d5e68bb86e..da23152c3d 100644
--- a/src/analyzer/protocol/teredo/CMakeLists.txt
+++ b/src/analyzer/protocol/teredo/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Teredo)
+zeek_plugin_begin(Zeek Teredo)
 zeek_plugin_cc(Teredo.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc
index 226d84a4a2..eeebea870d 100644
--- a/src/analyzer/protocol/teredo/Plugin.cc
+++ b/src/analyzer/protocol/teredo/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Teredo.h"
 
 namespace plugin {
-namespace Bro_Teredo {
+namespace Zeek_Teredo {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("Teredo", ::analyzer::teredo::Teredo_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Teredo";
+		config.name = "Zeek::Teredo";
 		config.description = "Teredo analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/udp/CMakeLists.txt b/src/analyzer/protocol/udp/CMakeLists.txt
index 4c9e252a08..47140a9df2 100644
--- a/src/analyzer/protocol/udp/CMakeLists.txt
+++ b/src/analyzer/protocol/udp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro UDP)
+zeek_plugin_begin(Zeek UDP)
 zeek_plugin_cc(UDP.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/udp/Plugin.cc b/src/analyzer/protocol/udp/Plugin.cc
index 2569d95a86..9a42be6fa8 100644
--- a/src/analyzer/protocol/udp/Plugin.cc
+++ b/src/analyzer/protocol/udp/Plugin.cc
@@ -6,7 +6,7 @@
 #include "analyzer/protocol/udp/UDP.h"
 
 namespace plugin {
-namespace Bro_UDP {
+namespace Zeek_UDP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("UDP", ::analyzer::udp::UDP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::UDP";
+		config.name = "Zeek::UDP";
 		config.description = "UDP Analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt
index 438250cdea..64c8600844 100644
--- a/src/analyzer/protocol/vxlan/CMakeLists.txt
+++ b/src/analyzer/protocol/vxlan/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro VXLAN)
+zeek_plugin_begin(Zeek VXLAN)
 zeek_plugin_cc(VXLAN.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc
index 1c214d691f..73c2cfd53b 100644
--- a/src/analyzer/protocol/vxlan/Plugin.cc
+++ b/src/analyzer/protocol/vxlan/Plugin.cc
@@ -5,7 +5,7 @@
 #include "VXLAN.h"
 
 namespace plugin {
-namespace Bro_VXLAN {
+namespace Zeek_VXLAN {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("VXLAN", ::analyzer::vxlan::VXLAN_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::VXLAN";
+		config.name = "Zeek::VXLAN";
 		config.description = "VXLAN analyzer";
 		return config;
 		}
diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
index 93b866c2a8..5cc55f82a7 100644
--- a/src/analyzer/protocol/xmpp/CMakeLists.txt
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro XMPP)
+zeek_plugin_begin(Zeek XMPP)
 zeek_plugin_cc(Plugin.cc)
 zeek_plugin_cc(XMPP.cc)
 zeek_plugin_bif(events.bif)
diff --git a/src/analyzer/protocol/xmpp/Plugin.cc b/src/analyzer/protocol/xmpp/Plugin.cc
index d3bfcc5b10..92165e3d99 100644
--- a/src/analyzer/protocol/xmpp/Plugin.cc
+++ b/src/analyzer/protocol/xmpp/Plugin.cc
@@ -4,7 +4,7 @@
 #include "XMPP.h"
 
 namespace plugin {
-namespace Bro_XMPP {
+namespace Zeek_XMPP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -13,7 +13,7 @@ public:
 		AddComponent(new ::analyzer::Component("XMPP", ::analyzer::xmpp::XMPP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::XMPP";
+		config.name = "Zeek::XMPP";
 		config.description = "XMPP analyzer (StartTLS only)";
 		return config;
 		}
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index 5fc7e901ec..579d225e5a 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -3,6 +3,6 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro ZIP)
+zeek_plugin_begin(Zeek ZIP)
 zeek_plugin_cc(ZIP.cc Plugin.cc)
 zeek_plugin_end()
diff --git a/src/analyzer/protocol/zip/Plugin.cc b/src/analyzer/protocol/zip/Plugin.cc
index 7a0bff39ad..f81576e1bb 100644
--- a/src/analyzer/protocol/zip/Plugin.cc
+++ b/src/analyzer/protocol/zip/Plugin.cc
@@ -6,7 +6,7 @@
 #include "ZIP.h"
 
 namespace plugin {
-namespace Bro_ZIP {
+namespace Zeek_ZIP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("ZIP", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::ZIP";
+		config.name = "Zeek::ZIP";
 		config.description = "Generic ZIP support analyzer";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/data_event/CMakeLists.txt b/src/file_analysis/analyzer/data_event/CMakeLists.txt
index cbba53cdbc..0a62b1d666 100644
--- a/src/file_analysis/analyzer/data_event/CMakeLists.txt
+++ b/src/file_analysis/analyzer/data_event/CMakeLists.txt
@@ -3,6 +3,6 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro FileDataEvent)
+zeek_plugin_begin(Zeek FileDataEvent)
 zeek_plugin_cc(DataEvent.cc Plugin.cc ../../Analyzer.cc)
 zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/data_event/Plugin.cc b/src/file_analysis/analyzer/data_event/Plugin.cc
index d39120cfe6..b41d2356a7 100644
--- a/src/file_analysis/analyzer/data_event/Plugin.cc
+++ b/src/file_analysis/analyzer/data_event/Plugin.cc
@@ -5,7 +5,7 @@
 #include "DataEvent.h"
 
 namespace plugin {
-namespace Bro_FileDataEvent {
+namespace Zeek_FileDataEvent {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::file_analysis::Component("DATA_EVENT", ::file_analysis::DataEvent::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::FileDataEvent";
+		config.name = "Zeek::FileDataEvent";
 		config.description = "Delivers file content";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/entropy/CMakeLists.txt b/src/file_analysis/analyzer/entropy/CMakeLists.txt
index 6eba4e85a3..7841f27f94 100644
--- a/src/file_analysis/analyzer/entropy/CMakeLists.txt
+++ b/src/file_analysis/analyzer/entropy/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro FileEntropy)
+zeek_plugin_begin(Zeek FileEntropy)
 zeek_plugin_cc(Entropy.cc Plugin.cc ../../Analyzer.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/entropy/Plugin.cc b/src/file_analysis/analyzer/entropy/Plugin.cc
index f1dd954cba..a4ae3416cd 100644
--- a/src/file_analysis/analyzer/entropy/Plugin.cc
+++ b/src/file_analysis/analyzer/entropy/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Entropy.h"
 
 namespace plugin {
-namespace Bro_FileEntropy {
+namespace Zeek_FileEntropy {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::file_analysis::Component("ENTROPY", ::file_analysis::Entropy::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::FileEntropy";
+		config.name = "Zeek::FileEntropy";
 		config.description = "Entropy test file content";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/extract/CMakeLists.txt b/src/file_analysis/analyzer/extract/CMakeLists.txt
index 4588152fde..7df895af38 100644
--- a/src/file_analysis/analyzer/extract/CMakeLists.txt
+++ b/src/file_analysis/analyzer/extract/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro FileExtract)
+zeek_plugin_begin(Zeek FileExtract)
 zeek_plugin_cc(Extract.cc Plugin.cc ../../Analyzer.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_bif(functions.bif)
diff --git a/src/file_analysis/analyzer/extract/Plugin.cc b/src/file_analysis/analyzer/extract/Plugin.cc
index f4e234ef11..be8c44eaac 100644
--- a/src/file_analysis/analyzer/extract/Plugin.cc
+++ b/src/file_analysis/analyzer/extract/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Extract.h"
 
 namespace plugin {
-namespace Bro_FileExtract {
+namespace Zeek_FileExtract {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::file_analysis::Component("EXTRACT", ::file_analysis::Extract::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::FileExtract";
+		config.name = "Zeek::FileExtract";
 		config.description = "Extract file content";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/hash/CMakeLists.txt b/src/file_analysis/analyzer/hash/CMakeLists.txt
index bfa975f682..46d557fd4b 100644
--- a/src/file_analysis/analyzer/hash/CMakeLists.txt
+++ b/src/file_analysis/analyzer/hash/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro FileHash)
+zeek_plugin_begin(Zeek FileHash)
 zeek_plugin_cc(Hash.cc Plugin.cc ../../Analyzer.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
diff --git a/src/file_analysis/analyzer/hash/Plugin.cc b/src/file_analysis/analyzer/hash/Plugin.cc
index 8bb0f0fab3..774e51511e 100644
--- a/src/file_analysis/analyzer/hash/Plugin.cc
+++ b/src/file_analysis/analyzer/hash/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Hash.h"
 
 namespace plugin {
-namespace Bro_FileHash {
+namespace Zeek_FileHash {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::file_analysis::Component("SHA256", ::file_analysis::SHA256::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::FileHash";
+		config.name = "Zeek::FileHash";
 		config.description = "Hash file content";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/pe/CMakeLists.txt b/src/file_analysis/analyzer/pe/CMakeLists.txt
index b380c5ffef..c6439ce54d 100644
--- a/src/file_analysis/analyzer/pe/CMakeLists.txt
+++ b/src/file_analysis/analyzer/pe/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro PE)
+zeek_plugin_begin(Zeek PE)
 zeek_plugin_cc(PE.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_pac(
diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc
index 8601dedb67..08a255785e 100644
--- a/src/file_analysis/analyzer/pe/Plugin.cc
+++ b/src/file_analysis/analyzer/pe/Plugin.cc
@@ -5,7 +5,7 @@
 #include "PE.h"
 
 namespace plugin {
-namespace Bro_PE {
+namespace Zeek_PE {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::PE";
+		config.name = "Zeek::PE";
 		config.description = "Portable Executable analyzer";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/unified2/CMakeLists.txt b/src/file_analysis/analyzer/unified2/CMakeLists.txt
index 487cf152be..bd1537c8ef 100644
--- a/src/file_analysis/analyzer/unified2/CMakeLists.txt
+++ b/src/file_analysis/analyzer/unified2/CMakeLists.txt
@@ -4,7 +4,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Unified2)
+zeek_plugin_begin(Zeek Unified2)
 zeek_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc)
 zeek_plugin_bif(events.bif types.bif)
 zeek_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
diff --git a/src/file_analysis/analyzer/unified2/Plugin.cc b/src/file_analysis/analyzer/unified2/Plugin.cc
index a0f885b7cb..2fef6e5dfa 100644
--- a/src/file_analysis/analyzer/unified2/Plugin.cc
+++ b/src/file_analysis/analyzer/unified2/Plugin.cc
@@ -7,7 +7,7 @@
 #include "Unified2.h"
 
 namespace plugin {
-namespace Bro_Unified2 {
+namespace Zeek_Unified2 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::file_analysis::Component("UNIFIED2", ::file_analysis::Unified2::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Unified2";
+		config.name = "Zeek::Unified2";
 		config.description = "Analyze Unified2 alert files.";
 		return config;
 		}
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index fae96dd726..d8ef11fe17 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -4,7 +4,7 @@ include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro X509)
+zeek_plugin_begin(Zeek X509)
 zeek_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
 zeek_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
 zeek_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index 31dbe346a8..9de6648893 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -7,7 +7,7 @@
 #include "OCSP.h"
 
 namespace plugin {
-namespace Bro_X509 {
+namespace Zeek_X509 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -18,7 +18,7 @@ public:
 		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
 
 		plugin::Configuration config;
-		config.name = "Bro::X509";
+		config.name = "Zeek::X509";
 		config.description = "X509 and OCSP analyzer";
 		return config;
 		}
diff --git a/src/input/readers/ascii/CMakeLists.txt b/src/input/readers/ascii/CMakeLists.txt
index 5c69899b55..fe5c9f01a4 100644
--- a/src/input/readers/ascii/CMakeLists.txt
+++ b/src/input/readers/ascii/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro AsciiReader)
+zeek_plugin_begin(Zeek AsciiReader)
 zeek_plugin_cc(Ascii.cc Plugin.cc)
 zeek_plugin_bif(ascii.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/ascii/Plugin.cc b/src/input/readers/ascii/Plugin.cc
index b389cb8602..79738ccba5 100644
--- a/src/input/readers/ascii/Plugin.cc
+++ b/src/input/readers/ascii/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Ascii.h"
 
 namespace plugin {
-namespace Bro_AsciiReader {
+namespace Zeek_AsciiReader {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::input::Component("Ascii", ::input::reader::Ascii::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::AsciiReader";
+		config.name = "Zeek::AsciiReader";
 		config.description = "ASCII input reader";
 		return config;
 		}
diff --git a/src/input/readers/benchmark/CMakeLists.txt b/src/input/readers/benchmark/CMakeLists.txt
index 96c3b8bba5..1595af8f6c 100644
--- a/src/input/readers/benchmark/CMakeLists.txt
+++ b/src/input/readers/benchmark/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro BenchmarkReader)
+zeek_plugin_begin(Zeek BenchmarkReader)
 zeek_plugin_cc(Benchmark.cc Plugin.cc)
 zeek_plugin_bif(benchmark.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/benchmark/Plugin.cc b/src/input/readers/benchmark/Plugin.cc
index d5e0975a80..8da8b24148 100644
--- a/src/input/readers/benchmark/Plugin.cc
+++ b/src/input/readers/benchmark/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Benchmark.h"
 
 namespace plugin {
-namespace Bro_BenchmarkReader {
+namespace Zeek_BenchmarkReader {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::input::Component("Benchmark", ::input::reader::Benchmark::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BenchmarkReader";
+		config.name = "Zeek::BenchmarkReader";
 		config.description = "Benchmark input reader";
 		return config;
 		}
diff --git a/src/input/readers/binary/CMakeLists.txt b/src/input/readers/binary/CMakeLists.txt
index 17859ce2b3..32dd2059e0 100644
--- a/src/input/readers/binary/CMakeLists.txt
+++ b/src/input/readers/binary/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro BinaryReader)
+zeek_plugin_begin(Zeek BinaryReader)
 zeek_plugin_cc(Binary.cc Plugin.cc)
 zeek_plugin_bif(binary.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/binary/Plugin.cc b/src/input/readers/binary/Plugin.cc
index 7c5dc16b8b..a84260eb67 100644
--- a/src/input/readers/binary/Plugin.cc
+++ b/src/input/readers/binary/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Binary.h"
 
 namespace plugin {
-namespace Bro_BinaryReader {
+namespace Zeek_BinaryReader {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::input::Component("Binary", ::input::reader::Binary::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BinaryReader";
+		config.name = "Zeek::BinaryReader";
 		config.description = "Binary input reader";
 		return config;
 		}
diff --git a/src/input/readers/config/CMakeLists.txt b/src/input/readers/config/CMakeLists.txt
index 7ea9a3681a..8f3553db2c 100644
--- a/src/input/readers/config/CMakeLists.txt
+++ b/src/input/readers/config/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro ConfigReader)
+zeek_plugin_begin(Zeek ConfigReader)
 zeek_plugin_cc(Config.cc Plugin.cc)
 zeek_plugin_bif(config.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/config/Plugin.cc b/src/input/readers/config/Plugin.cc
index 77c8a97091..810acc2370 100644
--- a/src/input/readers/config/Plugin.cc
+++ b/src/input/readers/config/Plugin.cc
@@ -5,7 +5,7 @@
 #include "Config.h"
 
 namespace plugin {
-namespace Bro_ConfigReader {
+namespace Zeek_ConfigReader {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::input::Component("Config", ::input::reader::Config::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::ConfigReader";
+		config.name = "Zeek::ConfigReader";
 		config.description = "Configuration file input reader";
 		return config;
 		}
diff --git a/src/input/readers/raw/CMakeLists.txt b/src/input/readers/raw/CMakeLists.txt
index 166524fa9a..2b197d5a4e 100644
--- a/src/input/readers/raw/CMakeLists.txt
+++ b/src/input/readers/raw/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro RawReader)
+zeek_plugin_begin(Zeek RawReader)
 zeek_plugin_cc(Raw.cc Plugin.cc)
 zeek_plugin_bif(raw.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc
index e16a233fe6..5791b836a1 100644
--- a/src/input/readers/raw/Plugin.cc
+++ b/src/input/readers/raw/Plugin.cc
@@ -2,9 +2,9 @@
 
 #include "Plugin.h"
 
-namespace plugin { namespace Bro_RawReader { Plugin plugin; } }
+namespace plugin { namespace Zeek_RawReader { Plugin plugin; } }
 
-using namespace plugin::Bro_RawReader;
+using namespace plugin::Zeek_RawReader;
 
 Plugin::Plugin()
 	{
@@ -15,7 +15,7 @@ plugin::Configuration Plugin::Configure()
 	AddComponent(new ::input::Component("Raw", ::input::reader::Raw::Instantiate));
 
 	plugin::Configuration config;
-	config.name = "Bro::RawReader";
+	config.name = "Zeek::RawReader";
 	config.description = "Raw input reader";
 	return config;
 	}
diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h
index 31fa611130..7dcd5e1b13 100644
--- a/src/input/readers/raw/Plugin.h
+++ b/src/input/readers/raw/Plugin.h
@@ -7,7 +7,7 @@
 #include "Raw.h"
 
 namespace plugin {
-namespace Bro_RawReader {
+namespace Zeek_RawReader {
 
 class Plugin : public plugin::Plugin {
 public:
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index 51b041744c..81627ac169 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -99,7 +99,7 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
 
 std::unique_lock<std::mutex> Raw::AcquireForkMutex()
 	{
-	auto lock = plugin::Bro_RawReader::plugin.ForkMutex();
+	auto lock = plugin::Zeek_RawReader::plugin.ForkMutex();
 
 	try
 		{
diff --git a/src/input/readers/sqlite/CMakeLists.txt b/src/input/readers/sqlite/CMakeLists.txt
index 8be6247c69..868a6c704b 100644
--- a/src/input/readers/sqlite/CMakeLists.txt
+++ b/src/input/readers/sqlite/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SQLiteReader)
+zeek_plugin_begin(Zeek SQLiteReader)
 zeek_plugin_cc(SQLite.cc Plugin.cc)
 zeek_plugin_bif(sqlite.bif)
 zeek_plugin_end()
diff --git a/src/input/readers/sqlite/Plugin.cc b/src/input/readers/sqlite/Plugin.cc
index db75d6dc22..6217d3bf93 100644
--- a/src/input/readers/sqlite/Plugin.cc
+++ b/src/input/readers/sqlite/Plugin.cc
@@ -5,7 +5,7 @@
 #include "SQLite.h"
 
 namespace plugin {
-namespace Bro_SQLiteReader {
+namespace Zeek_SQLiteReader {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::input::Component("SQLite", ::input::reader::SQLite::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SQLiteReader";
+		config.name = "Zeek::SQLiteReader";
 		config.description = "SQLite input reader";
 		return config;
 		}
diff --git a/src/iosource/pcap/CMakeLists.txt b/src/iosource/pcap/CMakeLists.txt
index e003cf36f3..f829a96a19 100644
--- a/src/iosource/pcap/CMakeLists.txt
+++ b/src/iosource/pcap/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro Pcap)
+zeek_plugin_begin(Zeek Pcap)
 zeek_plugin_cc(Source.cc Dumper.cc Plugin.cc)
 bif_target(pcap.bif)
 zeek_plugin_end()
diff --git a/src/iosource/pcap/Plugin.cc b/src/iosource/pcap/Plugin.cc
index af74b16ead..75f8f54a2c 100644
--- a/src/iosource/pcap/Plugin.cc
+++ b/src/iosource/pcap/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Dumper.h"
 
 namespace plugin {
-namespace Bro_Pcap {
+namespace Zeek_Pcap {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::iosource::PktDumperComponent("PcapWriter", "pcap", ::iosource::pcap::PcapDumper::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Pcap";
+		config.name = "Zeek::Pcap";
 		config.description = "Packet acquisition via libpcap";
 		return config;
 		}
diff --git a/src/logging/writers/ascii/CMakeLists.txt b/src/logging/writers/ascii/CMakeLists.txt
index e4c7789ed0..430631f997 100644
--- a/src/logging/writers/ascii/CMakeLists.txt
+++ b/src/logging/writers/ascii/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro AsciiWriter)
+zeek_plugin_begin(Zeek AsciiWriter)
 zeek_plugin_cc(Ascii.cc Plugin.cc)
 zeek_plugin_bif(ascii.bif)
 zeek_plugin_end()
diff --git a/src/logging/writers/ascii/Plugin.cc b/src/logging/writers/ascii/Plugin.cc
index 4dcefda47b..cc258c4236 100644
--- a/src/logging/writers/ascii/Plugin.cc
+++ b/src/logging/writers/ascii/Plugin.cc
@@ -6,7 +6,7 @@
 #include "Ascii.h"
 
 namespace plugin {
-namespace Bro_AsciiWriter {
+namespace Zeek_AsciiWriter {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::logging::Component("Ascii", ::logging::writer::Ascii::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::AsciiWriter";
+		config.name = "Zeek::AsciiWriter";
 		config.description = "ASCII log writer";
 		return config;
 		}
diff --git a/src/logging/writers/none/CMakeLists.txt b/src/logging/writers/none/CMakeLists.txt
index 1cd0f413e1..af386e3aee 100644
--- a/src/logging/writers/none/CMakeLists.txt
+++ b/src/logging/writers/none/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro NoneWriter)
+zeek_plugin_begin(Zeek NoneWriter)
 zeek_plugin_cc(None.cc Plugin.cc)
 zeek_plugin_bif(none.bif)
 zeek_plugin_end()
diff --git a/src/logging/writers/none/Plugin.cc b/src/logging/writers/none/Plugin.cc
index f712e7408c..3c86a238a1 100644
--- a/src/logging/writers/none/Plugin.cc
+++ b/src/logging/writers/none/Plugin.cc
@@ -6,7 +6,7 @@
 #include "None.h"
 
 namespace plugin {
-namespace Bro_NoneWriter {
+namespace Zeek_NoneWriter {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::logging::Component("None", ::logging::writer::None::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::NoneWriter";
+		config.name = "Zeek::NoneWriter";
 		config.description = "None log writer (primarily for debugging)";
 		return config;
 		}
diff --git a/src/logging/writers/sqlite/CMakeLists.txt b/src/logging/writers/sqlite/CMakeLists.txt
index 9d2f06d4ef..41c2f01c9e 100644
--- a/src/logging/writers/sqlite/CMakeLists.txt
+++ b/src/logging/writers/sqlite/CMakeLists.txt
@@ -3,7 +3,7 @@ include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-zeek_plugin_begin(Bro SQLiteWriter)
+zeek_plugin_begin(Zeek SQLiteWriter)
 zeek_plugin_cc(SQLite.cc Plugin.cc)
 zeek_plugin_bif(sqlite.bif)
 zeek_plugin_end()
diff --git a/src/logging/writers/sqlite/Plugin.cc b/src/logging/writers/sqlite/Plugin.cc
index f48ec838f1..a7ddc95472 100644
--- a/src/logging/writers/sqlite/Plugin.cc
+++ b/src/logging/writers/sqlite/Plugin.cc
@@ -6,7 +6,7 @@
 #include "SQLite.h"
 
 namespace plugin {
-namespace Bro_SQLiteWriter {
+namespace Zeek_SQLiteWriter {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::logging::Component("SQLite", ::logging::writer::SQLite::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::SQLiteWriter";
+		config.name = "Zeek::SQLiteWriter";
 		config.description = "SQLite log writer";
 		return config;
 		}
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index a4caf4f6be..e334d7f6c6 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2019-04-04-19-22-03
+#open	2019-06-08-03-43-02
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -14,8 +14,8 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/reporter.bif.zeek
   build/scripts/base/bif/strings.bif.zeek
   build/scripts/base/bif/option.bif.zeek
-  build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek
-  build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek
+  build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek
+  build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
@@ -61,123 +61,123 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/cardinality-counter.bif.zeek
     build/scripts/base/bif/top-k.bif.zeek
   build/scripts/base/bif/plugins/__load__.zeek
-    build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek
-    build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Unified2.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Unified2.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
 scripts/policy/misc/loaded-scripts.zeek
   scripts/base/utils/paths.zeek
-#close	2019-04-04-19-22-03
+#close	2019-06-08-03-43-02
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 3eec8e27cc..0b49a08672 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2019-06-05-18-41-18
+#open	2019-06-08-03-43-03
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -14,8 +14,8 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/reporter.bif.zeek
   build/scripts/base/bif/strings.bif.zeek
   build/scripts/base/bif/option.bif.zeek
-  build/scripts/base/bif/plugins/Bro_SNMP.types.bif.zeek
-  build/scripts/base/bif/plugins/Bro_KRB.types.bif.zeek
+  build/scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek
+  build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
@@ -61,123 +61,123 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/cardinality-counter.bif.zeek
     build/scripts/base/bif/top-k.bif.zeek
   build/scripts/base/bif/plugins/__load__.zeek
-    build/scripts/base/bif/plugins/Bro_ARP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConnSize.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DHCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DNP3.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_DNS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Finger.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_HTTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ICMP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Ident.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_InterConn.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_IRC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_KRB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Login.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Login.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_MIME.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Modbus.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_MySQL.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTLM.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTLM.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_POP3.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RDP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RDP.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RFB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RPC.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SIP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_close.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb1_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_close.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_create.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_read.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_write.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_com_transform_header.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.smb2_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMB.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMTP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSH.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSH.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Syslog.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_TCP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Teredo.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_UDP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_VXLAN.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_PE.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Unified2.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_Unified2.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.types.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.functions.bif.zeek
-    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.zeek
-    build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.zeek
-    build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.zeek
-    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.zeek
-    build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.zeek
-    build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.zeek
-    build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.zeek
-    build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_PE.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Unified2.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Unified2.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.types.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek
 scripts/base/init-default.zeek
   scripts/base/utils/active-http.zeek
     scripts/base/utils/exec.zeek
@@ -370,4 +370,4 @@ scripts/base/init-default.zeek
   scripts/base/misc/find-filtered-trace.zeek
   scripts/base/misc/version.zeek
 scripts/policy/misc/loaded-scripts.zeek
-#close	2019-06-05-18-41-19
+#close	2019-06-08-03-43-03
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 27949c8795..b091251bec 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -273,7 +273,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -450,7 +450,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -562,125 +562,125 @@
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(0, ..<...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ..<...>/plugin.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ARP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BackDoor.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BitTorrent.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConfigReader.config.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNP3.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_File.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileEntropy.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileHash.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Finger.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GSSAPI.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GTPv1.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Gnutella.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ICMP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IMAP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IRC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Ident.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_InterConn.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MIME.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Modbus.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MySQL.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_PE.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_POP3.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RADIUS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RFB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RPC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RawReader.raw.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SIP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SOCKS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SteppingStone.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Syslog.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Teredo.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_UDP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_VXLAN.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_XMPP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ConfigReader.config.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ConnSize.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ConnSize.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DCE_RPC.consts.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DCE_RPC.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DCE_RPC.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DHCP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DHCP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DNP3.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_DNS.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FTP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FTP.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_File.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FileEntropy.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FileExtract.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FileExtract.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_FileHash.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Finger.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_GSSAPI.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_GTPv1.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Gnutella.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_HTTP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_HTTP.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ICMP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Login.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Login.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_MIME.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Modbus.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_MySQL.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NCP.consts.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NCP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NTLM.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NTLM.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NTP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NetBIOS.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NetBIOS.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_NoneWriter.none.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_PE.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_POP3.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RADIUS.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RDP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RDP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RFB.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RPC.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_RawReader.raw.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SIP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.consts.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_close.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_echo.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_query_information.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb1_events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_close.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_create.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_read.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_set_info.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_com_write.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.smb2_events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMB.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMTP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SMTP.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SNMP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SNMP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SOCKS.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SQLiteReader.sqlite.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SQLiteWriter.sqlite.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSH.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSH.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSL.consts.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSL.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSL.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SSL.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_SteppingStone.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Syslog.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_TCP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_TCP.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Teredo.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_UDP.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Unified2.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Unified2.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_VXLAN.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_X509.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_X509.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_X509.ocsp_events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_X509.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_XMPP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/acld.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/add-geodata.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/addrs.zeek) -> -1
@@ -773,8 +773,8 @@
 0.000000   MetaHookPost  LoadFile(0, <...>/__load__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/hooks.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_KRB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/active-http.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/addrs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer) -> -1
@@ -1159,7 +1159,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1336,7 +1336,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1448,125 +1448,125 @@
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(0, ..<...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ..<...>/plugin.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ARP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BackDoor.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BitTorrent.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConfigReader.config.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNP3.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_File.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileEntropy.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Finger.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GSSAPI.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GTPv1.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Gnutella.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ICMP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IMAP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IRC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Ident.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_InterConn.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MIME.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Modbus.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MySQL.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NoneWriter.none.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_PE.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_POP3.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RADIUS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RFB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RPC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RawReader.raw.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SIP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SOCKS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SteppingStone.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Syslog.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Teredo.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_UDP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_VXLAN.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_XMPP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ConfigReader.config.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ConnSize.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ConnSize.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DCE_RPC.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DCE_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DCE_RPC.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DHCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DHCP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DNP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_DNS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_File.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FileEntropy.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FileExtract.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FileExtract.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_FileHash.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Finger.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_GSSAPI.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Gnutella.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_HTTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_HTTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ICMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Login.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Login.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_MIME.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Modbus.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_MySQL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NCP.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NTLM.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NTLM.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NetBIOS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NetBIOS.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_NoneWriter.none.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_PE.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RADIUS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RDP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RFB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_RawReader.raw.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SIP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_check_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_create_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_echo.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_query_information.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_read_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction2.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_com_write_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb1_events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_create.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_read.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_session_setup.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_set_info.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_transform_header.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_com_write.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.smb2_events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SMTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SNMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SOCKS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SQLiteReader.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SQLiteWriter.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSH.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSH.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSL.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSL.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SSL.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_SteppingStone.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Syslog.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_TCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_TCP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_UDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Unified2.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Unified2.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_VXLAN.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_X509.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_X509.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_X509.ocsp_events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_X509.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_XMPP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/acld.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/add-geodata.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/addrs.zeek)
@@ -1659,8 +1659,8 @@
 0.000000   MetaHookPre   LoadFile(0, <...>/__load__.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/hooks.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_KRB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer)
@@ -2044,7 +2044,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2221,7 +2221,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2333,125 +2333,125 @@
 0.000000 | HookDrainEvents
 0.000000 | HookLoadFile  ..<...>/main.zeek
 0.000000 | HookLoadFile  ..<...>/plugin.zeek
-0.000000 | HookLoadFile  .<...>/Bro_ARP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_AsciiReader.ascii.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_AsciiWriter.ascii.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_BackDoor.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_BenchmarkReader.benchmark.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_BinaryReader.binary.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_BitTorrent.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_ConfigReader.config.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_ConnSize.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_ConnSize.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.consts.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DHCP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DHCP.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DNP3.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_DNS.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FTP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FTP.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_File.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FileEntropy.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FileExtract.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FileExtract.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_FileHash.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Finger.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_GSSAPI.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_GTPv1.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Gnutella.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_HTTP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_HTTP.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_ICMP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_IMAP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_IRC.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Ident.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_InterConn.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_KRB.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_KRB.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Login.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Login.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_MIME.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Modbus.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_MySQL.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NCP.consts.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NCP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NTLM.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NTLM.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NTP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_NoneWriter.none.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_PE.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_POP3.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RADIUS.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RDP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RDP.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RFB.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RPC.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_RawReader.raw.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SIP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.consts.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_check_directory.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_close.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_create_directory.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_echo.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_logoff_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_negotiate.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_cancel.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_query_information.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_read_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_write_andx.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_close.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_create.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_negotiate.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_read.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_session_setup.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_set_info.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_transform_header.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_connect.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_write.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMB.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMTP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SMTP.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SNMP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SNMP.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SOCKS.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SQLiteReader.sqlite.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SQLiteWriter.sqlite.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSH.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSH.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSL.consts.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSL.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSL.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SSL.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_SteppingStone.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Syslog.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_TCP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_TCP.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Teredo.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_UDP.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Unified2.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_Unified2.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_VXLAN.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_X509.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_X509.functions.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_X509.ocsp_events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_X509.types.bif.zeek
-0.000000 | HookLoadFile  .<...>/Bro_XMPP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_ARP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_AsciiReader.ascii.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_AsciiWriter.ascii.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_BackDoor.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_BinaryReader.binary.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_BitTorrent.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_ConfigReader.config.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_ConnSize.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_ConnSize.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DCE_RPC.consts.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DCE_RPC.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DCE_RPC.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DHCP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DHCP.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DNP3.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_DNS.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FTP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FTP.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_File.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FileEntropy.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FileExtract.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FileExtract.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_FileHash.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Finger.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_GSSAPI.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Gnutella.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_HTTP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_HTTP.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_ICMP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_IMAP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_IRC.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Ident.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_InterConn.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_KRB.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Login.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Login.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_MIME.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Modbus.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_MySQL.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NCP.consts.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NCP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NTLM.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NTLM.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NTP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NetBIOS.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NetBIOS.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_NoneWriter.none.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_PE.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RADIUS.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RDP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RDP.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RFB.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RPC.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_RawReader.raw.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SIP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.consts.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_check_directory.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_close.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_create_directory.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_echo.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_negotiate.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_query_information.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_read_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_transaction.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_transaction2.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_com_write_andx.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb1_events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_close.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_create.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_negotiate.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_read.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_session_setup.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_set_info.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_transform_header.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_com_write.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.smb2_events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMB.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMTP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SMTP.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SNMP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SOCKS.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SQLiteReader.sqlite.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SQLiteWriter.sqlite.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSH.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSH.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSL.consts.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSL.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSL.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SSL.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_SteppingStone.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Syslog.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_TCP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_TCP.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_UDP.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Unified2.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_Unified2.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_VXLAN.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_X509.events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_X509.functions.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_X509.ocsp_events.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_X509.types.bif.zeek
+0.000000 | HookLoadFile  .<...>/Zeek_XMPP.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/acld.zeek
 0.000000 | HookLoadFile  .<...>/add-geodata.zeek
 0.000000 | HookLoadFile  .<...>/addrs.zeek
@@ -2553,8 +2553,8 @@
 0.000000 | HookLoadFile  <...>/__load__.zeek
 0.000000 | HookLoadFile  <...>/__preload__.zeek
 0.000000 | HookLoadFile  <...>/hooks.zeek
-0.000000 | HookLoadFile  base<...>/Bro_KRB.types.bif.zeek
-0.000000 | HookLoadFile  base<...>/Bro_SNMP.types.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/active-http.zeek
 0.000000 | HookLoadFile  base<...>/addrs.zeek
 0.000000 | HookLoadFile  base<...>/analyzer
@@ -2651,7 +2651,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1559874010.315687, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1559965406.801449, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()
diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek b/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek
index e913fbc544..3a1566b5a2 100644
--- a/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/sqlite/error.zeek
@@ -1,6 +1,6 @@
 #
 # @TEST-REQUIRES: which sqlite3
-# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
 # @TEST-GROUP: sqlite
 #
 # @TEST-EXEC: cat ssh.sql | sqlite3 ssh.sqlite
diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek b/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek
index 17779a6312..e597a74024 100644
--- a/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/sqlite/set.zeek
@@ -3,7 +3,7 @@
 # chance of being off by one if someone changes it).
 #
 # @TEST-REQUIRES: which sqlite3
-# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
 # @TEST-GROUP: sqlite
 #
 # @TEST-EXEC: zeek -b %INPUT
diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek
index f685dfa26f..fcdbd928ee 100644
--- a/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/sqlite/simultaneous-writes.zeek
@@ -1,7 +1,7 @@
 # Test simultaneous writes to the same database file.
 #
 # @TEST-REQUIRES: which sqlite3
-# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
 # @TEST-GROUP: sqlite
 #
 # @TEST-EXEC: zeek -b %INPUT
diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek b/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek
index 751517a9b9..065fa98a77 100644
--- a/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/sqlite/types.zeek
@@ -1,6 +1,6 @@
 #
 # @TEST-REQUIRES: which sqlite3
-# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
 # @TEST-GROUP: sqlite
 #
 # @TEST-EXEC: zeek -b %INPUT
diff --git a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek
index 8ffc867b92..cd6eaf7f26 100644
--- a/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/sqlite/wikipedia.zeek
@@ -1,6 +1,6 @@
 #
 # @TEST-REQUIRES: which sqlite3
-# @TEST-REQUIRES: has-writer Bro::SQLiteWriter
+# @TEST-REQUIRES: has-writer Zeek::SQLiteWriter
 # @TEST-GROUP: sqlite
 #
 # @TEST-EXEC: zeek -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE

From d0465bc45db6d1ee6601946280c380147fd01d93 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Sun, 9 Jun 2019 20:21:56 +0200
Subject: [PATCH 49/91] add extended mac field with 20 byte digest (+4 byte key
 id)

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac |  7 +++++--
 src/analyzer/protocol/ntp/ntp-protocol.pac | 15 +++++++++++----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index af42ddf9d1..654e6b11f6 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -65,10 +65,13 @@ refine flow NTP_Flow += {
                 rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
                 rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
-		if (${nsm.has_mac}) {
+		if (${nsm.mac_len}==20) {
 		    rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
 		    rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
-		}
+		} else if (${nsm.mac_len}==24) {
+		    rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id}));
+		    rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest}));
+		} 
 		// TODO: add extension fields
                 //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
 
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index fd3a43f9c9..499cd1398c 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -40,13 +40,14 @@ type NTP_std_msg = record {
         receive_ts     : NTP_Time;
         transmit_ts    : NTP_Time;
         #extensions     : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed 
-        mac_fields     : case (has_mac) of {
-                                true  -> mac : NTP_MAC;
+        mac_fields     : case (mac_len) of {
+                                20  -> mac 	: NTP_MAC;
+                                24  -> mac_ext 	: NTP_MAC_ext;
                                 false -> nil : empty;
-                         } &requires(has_mac);
+                         } &requires(mac_len);
 } &let {
         length          = sourcedata.length();
-	has_mac: bool	= (length - offsetof(mac_fields)) == 20;
+	mac_len: uint32	= (length - offsetof(mac_fields));
 } &byteorder=bigendian &exportsourcedata;
 
 # This format is for mode==6, control msg
@@ -78,6 +79,12 @@ type NTP_MAC = record {
 	digest: bytestring &length=16;
 } &length=20;
 
+# As in RFC 5906, same as NTP_MAC but with a 160 bit digest
+type NTP_MAC_ext = record {
+	key_id: uint32;
+	digest: bytestring &length=20;
+} &length=24;
+
 # As in RFC 1119
 type NTP_CONTROL_MAC = record {
         key_id: uint32;

From af91246c0311fdabee95ec6943a2fa60791a3925 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Sun, 9 Jun 2019 21:25:16 +0200
Subject: [PATCH 50/91] add extension fields parsing

---
 src/analyzer/protocol/ntp/ntp-protocol.pac | 29 +++++++++++++++++-----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 499cd1398c..36e4c633d9 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -39,14 +39,18 @@ type NTP_std_msg = record {
         origin_ts      : NTP_Time;
         receive_ts     : NTP_Time;
         transmit_ts    : NTP_Time;
-        #extensions     : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed 
+        extensions     : case (has_exts) of {
+				true -> exts	: Extension_Field[] &until($input.length() > 24); 
+				false -> nil 	: empty;
+                         } &requires(has_exts);
         mac_fields     : case (mac_len) of {
                                 20  -> mac 	: NTP_MAC;
                                 24  -> mac_ext 	: NTP_MAC_ext;
-                                false -> nil : empty;
+                                default -> nil2 : empty;
                          } &requires(mac_len);
 } &let {
         length          = sourcedata.length();
+	has_exts: bool	= (length - offsetof(extensions)) > 24;
 	mac_len: uint32	= (length - offsetof(mac_fields));
 } &byteorder=bigendian &exportsourcedata;
 
@@ -69,7 +73,7 @@ type NTP_control_msg = record {
         E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
         M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
         OpCode:	uint8  = (second_byte & 0x1F);		# Last 5 bits of 8-bits value
-        length          = sourcedata.length();
+        length         = sourcedata.length();
         has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;
 
@@ -91,10 +95,23 @@ type NTP_CONTROL_MAC = record {
      	crypto_checksum: bytestring &length=8;
 } &length=12;
 
+# As defined in RFC 5906
 type Extension_Field = record {
-  field_type: uint16;
-  ext_len   : uint16;
-  data      : bytestring &length=ext_len-4;
+  first_byte_ext: uint8;
+  field_type	: uint8;
+  len		: uint16;
+  association_id: uint16;
+  timestamp	: uint32;
+  filestamp	: uint32;
+  value_len	: uint32;
+  value		: bytestring &length=value_len;
+  sig_len	: uint32;
+  signature	: bytestring &length=sig_len;
+  pad		: padding to (len - offsetof(first_byte_ext));
+} &let {
+        R:	bool   = (first_byte_ext & 0x80) > 0;	# First bit of 8-bits value
+        E:	bool   = (first_byte_ext & 0x40) > 0;	# Second bit of 8-bits value
+        Code:	uint8  = (first_byte_ext & 0x3F);	# Last 6 bits of 8-bits value
 };
 
 type NTP_Short_Time = record {

From 40886fe61139c4f11c9b0a045b12e41e2c5fc7ac Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Sun, 9 Jun 2019 21:47:09 +0200
Subject: [PATCH 51/91] code clean up

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 112 ++++++++++-----------
 src/analyzer/protocol/ntp/ntp-mode7.pac    |  16 +--
 src/analyzer/protocol/ntp/ntp-protocol.pac |  49 +++++----
 3 files changed, 88 insertions(+), 89 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 654e6b11f6..2d6714781c 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -35,81 +35,81 @@ refine flow NTP_Flow += {
         # This builds the standard msg record
         function BuildNTPStdMsg(nsm: NTP_std_msg): BroVal
         %{
-                RecordVal* rv = new RecordVal(BifType::Record::NTP::std);
+           RecordVal* rv = new RecordVal(BifType::Record::NTP::std);
 
-               	rv->Assign(0, val_mgr->GetCount(${nsm.stratum}));
-                rv->Assign(1, new Val(pow(2, ${nsm.poll}), TYPE_INTERVAL));
-                rv->Assign(2, new Val(pow(2, ${nsm.precision}), TYPE_INTERVAL));
-                rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
-                rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
+           rv->Assign(0, val_mgr->GetCount(${nsm.stratum}));
+           rv->Assign(1, new Val(pow(2, ${nsm.poll}), TYPE_INTERVAL));
+           rv->Assign(2, new Val(pow(2, ${nsm.precision}), TYPE_INTERVAL));
+           rv->Assign(3, proc_ntp_short(${nsm.root_delay}));
+           rv->Assign(4, proc_ntp_short(${nsm.root_dispersion}));
 
-              	switch ( ${nsm.stratum} )
-              	{
-                 case 0:
-                    // unknown stratum => kiss code
-                    rv->Assign(5, bytestring_to_val(${nsm.reference_id}));
-                    break;
-                 case 1:
-                    // reference clock => ref clock string
-                    rv->Assign(6, bytestring_to_val(${nsm.reference_id}));
-                    break;
-                 default:
-                    // TODO: Check for v4/v6
-                    const uint8* d = ${nsm.reference_id}.data();
-                    rv->Assign(7, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
-                    break;
-              	}
+           switch ( ${nsm.stratum} )
+           {
+              case 0:
+                 // unknown stratum => kiss code
+                 rv->Assign(5, bytestring_to_val(${nsm.reference_id}));
+                 break;
+              case 1:
+                 // reference clock => ref clock string
+                 rv->Assign(6, bytestring_to_val(${nsm.reference_id}));
+                 break;
+              default:
+                 // TODO: Check for v4/v6
+                 const uint8* d = ${nsm.reference_id}.data();
+                 rv->Assign(7, new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+                 break;
+           }
 
-                rv->Assign(9, proc_ntp_timestamp(${nsm.reference_ts}));
-                rv->Assign(10, proc_ntp_timestamp(${nsm.origin_ts}));
-                rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
-                rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
+           rv->Assign(9, proc_ntp_timestamp(${nsm.reference_ts}));
+           rv->Assign(10, proc_ntp_timestamp(${nsm.origin_ts}));
+           rv->Assign(11, proc_ntp_timestamp(${nsm.receive_ts}));
+           rv->Assign(12, proc_ntp_timestamp(${nsm.transmit_ts}));
 
-		if (${nsm.mac_len}==20) {
-		    rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
-		    rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
-		} else if (${nsm.mac_len}==24) {
-		    rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id}));
-		    rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest}));
-		} 
-		// TODO: add extension fields
-                //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
+	   if (${nsm.mac_len}==20) {
+	      rv->Assign(13, val_mgr->GetCount(${nsm.mac.key_id}));
+	      rv->Assign(14, bytestring_to_val(${nsm.mac.digest}));
+	   } else if (${nsm.mac_len}==24) {
+	      rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id}));
+	      rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest}));
+	   } 
+	   // TODO: add extension fields
+           //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
 
-        	return rv;
+           return rv;
         %}
 
         # This builds the control msg record
         function BuildNTPControlMsg(ncm: NTP_control_msg): BroVal
         %{
-                RecordVal* rv = new RecordVal(BifType::Record::NTP::control);
+           RecordVal* rv = new RecordVal(BifType::Record::NTP::control);
 
-                rv->Assign(0, val_mgr->GetCount(${ncm.OpCode}));
-                rv->Assign(1, val_mgr->GetBool(${ncm.R}));
-                rv->Assign(2, val_mgr->GetBool(${ncm.E}));
-                rv->Assign(3, val_mgr->GetBool(${ncm.M}));
-                rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
-                rv->Assign(5, val_mgr->GetCount(${ncm.status}));
-                rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
-                rv->Assign(7, val_mgr->GetCount(${ncm.offs}));
-                rv->Assign(8, val_mgr->GetCount(${ncm.c}));
-                rv->Assign(9, bytestring_to_val(${ncm.data}));
+           rv->Assign(0, val_mgr->GetCount(${ncm.OpCode}));
+           rv->Assign(1, val_mgr->GetBool(${ncm.R}));
+           rv->Assign(2, val_mgr->GetBool(${ncm.E}));
+           rv->Assign(3, val_mgr->GetBool(${ncm.M}));
+           rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
+           rv->Assign(5, val_mgr->GetCount(${ncm.status}));
+           rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
+           rv->Assign(7, val_mgr->GetCount(${ncm.offs}));
+           rv->Assign(8, val_mgr->GetCount(${ncm.c}));
+           rv->Assign(9, bytestring_to_val(${ncm.data}));
 
-                return rv;
+           return rv;
         %}
 
         # This builds the mode7 msg record
         function BuildNTPMode7Msg(m7: NTP_mode7_msg): BroVal
         %{
-                RecordVal* rv = new RecordVal(BifType::Record::NTP::mode7);
+           RecordVal* rv = new RecordVal(BifType::Record::NTP::mode7);
 
-                rv->Assign(0, val_mgr->GetCount(${m7.request_code}));
-                rv->Assign(1, val_mgr->GetBool(${m7.auth_bit}));
-                rv->Assign(2, val_mgr->GetCount(${m7.sequence}));
-                rv->Assign(3, val_mgr->GetCount(${m7.implementation}));
-                rv->Assign(4, val_mgr->GetCount(${m7.error_code}));
-                rv->Assign(5, bytestring_to_val(${m7.data}));
+           rv->Assign(0, val_mgr->GetCount(${m7.request_code}));
+           rv->Assign(1, val_mgr->GetBool(${m7.auth_bit}));
+           rv->Assign(2, val_mgr->GetCount(${m7.sequence}));
+           rv->Assign(3, val_mgr->GetCount(${m7.implementation}));
+           rv->Assign(4, val_mgr->GetCount(${m7.error_code}));
+           rv->Assign(5, bytestring_to_val(${m7.data}));
 
-                return rv;
+           return rv;
         %}
 
 
diff --git a/src/analyzer/protocol/ntp/ntp-mode7.pac b/src/analyzer/protocol/ntp/ntp-mode7.pac
index 33b88ec6c4..4ff1051390 100644
--- a/src/analyzer/protocol/ntp/ntp-mode7.pac
+++ b/src/analyzer/protocol/ntp/ntp-mode7.pac
@@ -14,17 +14,17 @@
 #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 #   |  Err  | Number of data items  |  MBZ  |   Size of data item   |
 #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |								     |
+#   |								    |
 #   |            Data (Minimum 0 octets, maximum 500 octets)        |
-#   |								     |
+#   |								    |
 #                            [...]
-#   |								     |
+#   |								    |
 #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 #   |               Encryption Keyid (when A bit set)               |
 #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#   |								     |
+#   |								    |
 #   |          Message Authentication Code (when A bit set)         |
-#   |								     |
+#   |								    |
 #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 #
 # where the fields are (note that the client sends requests, the server
@@ -115,9 +115,9 @@ type NTP_mode7_msg = record {
     			false -> nil: empty;
   			};
 } &let {
-  auth_bit  : bool  = (second_byte & 0x80) > 0;
-  sequence  : uint8 = (second_byte & 0x7F);
-  error_code: uint8 = (err_and_data_len & 0xF000) >> 12;
+  auth_bit  : bool   = (second_byte & 0x80) > 0;
+  sequence  : uint8  = (second_byte & 0x7F);
+  error_code: uint8  = (err_and_data_len & 0xF000) >> 12;
   data_len  : uint16 = (err_and_data_len & 0x0FFF);
 } &byteorder=bigendian &exportsourcedata;
 
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 36e4c633d9..55b09a0ce7 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -1,10 +1,9 @@
-
 # This is the common part in the header format. 
 # See RFC 5905 for details
 type NTP_PDU(is_orig: bool) = record {
 	# The first byte of the NTP header contains the leap indicator,
 	# the version and the mode
-	first_byte     : uint8;
+	first_byte     	: uint8;
   	# Modes 1-5 are standard NTP time sync
   	standard_modes  : case (mode>=1 && mode<=5) of {
   		true  	-> std		: NTP_std_msg;
@@ -18,9 +17,9 @@ type NTP_PDU(is_orig: bool) = record {
   		default -> unknown	: bytestring &restofdata;
   	};
 } &let {
-	leap:     uint8  = (first_byte & 0xc0)>>6;   	# First 2 bits of 8-bits value
-	version:  uint8  = (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
-	mode:     uint8  = (first_byte & 0x07);  	# Bits 6-8 of 8-bits value
+	leap	:	uint8  = (first_byte & 0xc0)>>6;   	# First 2 bits of 8-bits value
+	version	:	uint8  = (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
+	mode	:	uint8  = (first_byte & 0x07);  		# Bits 6-8 of 8-bits value
 } &byteorder=bigendian &exportsourcedata;
 
 # This is the most common type of message, corresponding to modes 1-5
@@ -40,13 +39,13 @@ type NTP_std_msg = record {
         receive_ts     : NTP_Time;
         transmit_ts    : NTP_Time;
         extensions     : case (has_exts) of {
-				true -> exts	: Extension_Field[] &until($input.length() > 24); 
+				true  -> exts	: Extension_Field[] &until($input.length() > 24); 
 				false -> nil 	: empty;
                          } &requires(has_exts);
         mac_fields     : case (mac_len) of {
-                                20  -> mac 	: NTP_MAC;
-                                24  -> mac_ext 	: NTP_MAC_ext;
-                                default -> nil2 : empty;
+                                20	-> mac		: NTP_MAC;
+                                24 	-> mac_ext 	: NTP_MAC_ext;
+                                default -> nil2 	: empty;
                          } &requires(mac_len);
 } &let {
         length          = sourcedata.length();
@@ -64,35 +63,35 @@ type NTP_control_msg = record {
         offs		: uint16;
         c	   	: uint16;
 	data		: bytestring &length=c;
-        mac_fields     : case (has_control_mac) of {
+        mac_fields	: case (has_control_mac) of {
                                 true  -> mac : NTP_CONTROL_MAC;
                                 false -> nil : empty;
                          } &requires(has_control_mac);
 } &let {
-        R:	bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
-        E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
-        M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
-        OpCode:	uint8  = (second_byte & 0x1F);		# Last 5 bits of 8-bits value
-        length         = sourcedata.length();
+        R	: bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
+        E	: bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
+        M	: bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
+        OpCode	: uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+        length	= sourcedata.length();
         has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;
 
 # As in RFC 5905
 type NTP_MAC = record {
-	key_id: uint32;
-	digest: bytestring &length=16;
+	key_id	: uint32;
+	digest	: bytestring &length=16;
 } &length=20;
 
 # As in RFC 5906, same as NTP_MAC but with a 160 bit digest
 type NTP_MAC_ext = record {
-	key_id: uint32;
-	digest: bytestring &length=20;
+	key_id	: uint32;
+	digest	: bytestring &length=20;
 } &length=24;
 
 # As in RFC 1119
 type NTP_CONTROL_MAC = record {
-        key_id: uint32;
-     	crypto_checksum: bytestring &length=8;
+        key_id		: uint32;
+     	crypto_checksum	: bytestring &length=8;
 } &length=12;
 
 # As defined in RFC 5906
@@ -115,11 +114,11 @@ type Extension_Field = record {
 };
 
 type NTP_Short_Time = record {
-  seconds:   int16;
-  fractions: int16;
+  seconds	: int16;
+  fractions	: int16;
 };
 
 type NTP_Time = record {
-  seconds:   uint32;
-  fractions: uint32;
+  seconds	: uint32;
+  fractions	: uint32;
 };

From 1c078bed255218fbd155fe7bcc1693360293e903 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 11 Jun 2019 15:06:38 +0200
Subject: [PATCH 52/91] fix wrong assignment of control key_id/crypto_checksum

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 2d6714781c..0418a50a98 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -90,9 +90,12 @@ refine flow NTP_Flow += {
            rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
            rv->Assign(5, val_mgr->GetCount(${ncm.status}));
            rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
-           rv->Assign(7, val_mgr->GetCount(${ncm.offs}));
-           rv->Assign(8, val_mgr->GetCount(${ncm.c}));
-           rv->Assign(9, bytestring_to_val(${ncm.data}));
+           rv->Assign(7, bytestring_to_val(${ncm.data}));
+
+           if (${ncm.has_control_mac}) {
+              rv->Assign(8, val_mgr->GetCount(${ncm.mac.key_id}));
+              rv->Assign(9, bytestring_to_val(${ncm.mac.crypto_checksum}));
+           }
 
            return rv;
         %}

From 6c29feb1d7b1d8fad3641ce5c1f0a46365a47345 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Tue, 11 Jun 2019 15:29:37 +0200
Subject: [PATCH 53/91] fix some initializations

---
 src/analyzer/protocol/ntp/ntp-analyzer.pac | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 0418a50a98..a560c3d3fd 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -71,10 +71,12 @@ refine flow NTP_Flow += {
 	   } else if (${nsm.mac_len}==24) {
 	      rv->Assign(13, val_mgr->GetCount(${nsm.mac_ext.key_id}));
 	      rv->Assign(14, bytestring_to_val(${nsm.mac_ext.digest}));
-	   } 
-	   // TODO: add extension fields
-           //rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.extensions}->size()));
+	   }
 
+	   if (${nsm.has_exts}) { 
+	      // TODO: add extension fields
+              rv->Assign(15, val_mgr->GetCount((uint32) ${nsm.exts}->size()));
+	   }
            return rv;
         %}
 
@@ -90,7 +92,9 @@ refine flow NTP_Flow += {
            rv->Assign(4, val_mgr->GetCount(${ncm.sequence}));
            rv->Assign(5, val_mgr->GetCount(${ncm.status}));
            rv->Assign(6, val_mgr->GetCount(${ncm.association_id}));
-           rv->Assign(7, bytestring_to_val(${ncm.data}));
+
+	   if (${ncm.c}>0)
+              rv->Assign(7, bytestring_to_val(${ncm.data}));
 
            if (${ncm.has_control_mac}) {
               rv->Assign(8, val_mgr->GetCount(${ncm.mac.key_id}));
@@ -110,7 +114,8 @@ refine flow NTP_Flow += {
            rv->Assign(2, val_mgr->GetCount(${m7.sequence}));
            rv->Assign(3, val_mgr->GetCount(${m7.implementation}));
            rv->Assign(4, val_mgr->GetCount(${m7.error_code}));
-           rv->Assign(5, bytestring_to_val(${m7.data}));
+	   if (${m7.data_len}>0)
+             rv->Assign(5, bytestring_to_val(${m7.data}));
 
            return rv;
         %}

From 1ce5521ecc6faf83e7532b35e89aadf8d33a3f70 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 5 Jun 2019 18:46:51 +0000
Subject: [PATCH 54/91] Couple of compile fixes.

This is branched from topic/johanna/remove-serializer.
---
 src/analyzer/protocol/krb/KRB.cc   | 2 ++
 src/probabilistic/CounterVector.cc | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 4ee663dcf1..e6bd42b961 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -1,5 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <unistd.h>
+
 #include "KRB.h"
 #include "types.bif.h"
 #include "events.bif.h"
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index 1a3c98c73f..e234d5c9d9 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -2,6 +2,7 @@
 
 #include "CounterVector.h"
 
+#include <cassert>
 #include <limits>
 #include "BitVector.h"
 

From 52b5124767ebdc701dd895e15faeaa6261088925 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer2@gmail.com>
Date: Wed, 12 Jun 2019 02:44:37 -0500
Subject: [PATCH 55/91] Create local.zeek as symlink for upgrade installs

Since the default install prefix has changed from /usr/local/bro
to /usr/local/zeek, the local.zeek will be created as a symlink to
the old local.bro if doing an upgrade install and if using the default
install prefix.
---
 scripts/CMakeLists.txt | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
index 266981dd9e..471c408dcf 100644
--- a/scripts/CMakeLists.txt
+++ b/scripts/CMakeLists.txt
@@ -26,6 +26,22 @@ if ( NOT BINARY_PACKAGING_MODE )
       endif ()
     endif ()
   ")
+
+  # If the user is installing into the default Zeek prefix and if the old Bro
+  # default prefix exists, then treat this install as an upgrade and install
+  # the new local.zeek as a symlink to the old local.bro.
+  set(_old_local_bro /usr/local/bro/share/bro/site/local.bro)
+  set(_bro_default_prefix /usr/local/bro)
+  set(_zeek_default_prefix /usr/local/zeek)
+
+  install(CODE "
+    if ( EXISTS \"${_bro_default_prefix}\" AND \"${ZEEK_ROOT_DIR}\" STREQUAL \"${_zeek_default_prefix}\" )
+        message(STATUS \"WARNING: installed ${_local_zeek_dst} as symlink to ${_old_local_bro}\")
+        execute_process(COMMAND \"${CMAKE_COMMAND}\" -E create_symlink
+          \"${_old_local_bro}\" \"${_local_zeek_dst}\")
+    endif ()
+  ")
+
 endif ()
 
 # Install local script as a config file since it's meant to be modified directly.

From b130cc793139f569c56e9b720b16aac6ee257534 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Wed, 12 Jun 2019 12:46:18 +0200
Subject: [PATCH 56/91] minor changes in the documentation

---
 scripts/base/init-bare.zeek | 43 ++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index a9b39ec5d1..97f9fea557 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4938,32 +4938,41 @@ export {
 	## This record contains the standard fields used by the NTP protocol
 	## for standard syncronization operations. 
 	type NTP::std: record {
-        ## The stratum (primary server, secondary server, etc.)
+        ## This value mainly identifies the type of server (primary server, 
+	## secondary server, etc.). Possible values, as in :rfc:`5905`, are:
+	## 0 -> unspecified or invalid
+	## 1 -> primary server (e.g., equipped with a GPS receiver)
+	## 2-15 -> secondary server (via NTP)
+	## 16 -> unsynchronized
+	## 17-255 -> reserved
+	## For stratum=0, a kiss_code can be given for debugging and monitoring
         stratum:            count;
         ## The maximum interval between successive messages
         poll:               interval;
         ## The precision of the system clock
         precision:          interval;
-        ## Total round-trip delay to the reference clock
+        ## Root delay. The total round-trip delay to the reference clock
         root_delay:         interval;
-        ## Total dispersion to the reference clock
+        ## Root Dispersion. The total dispersion to the reference clock
         root_disp:          interval;
-        ## For stratum 0, 4 character string used for debugging
+        ## For stratum 0, four-character ASCII string used for debugging and monitoring.
+	## Values are defined in :rfc:`1345`.
         kiss_code:          string &optional;
-        ## For stratum 1, ID assigned to the reference clock by IANA
+        ## Reference ID. For stratum=1, this is the ID assigned to the reference clock by IANA.
+	## For example: GOES, GPS, GAL, etc. (see :rfc:`5905`)
         ref_id:             string &optional;
         ## Above stratum 1, when using IPv4, the IP address of the reference clock
         ref_addr:           addr &optional;
         ## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
-        ## IPv6 address of the reference clock
+        ## IPv6 address of the reference clock. Note: currently not implemented.
         ref_v6_hash_prefix: string &optional;
-        ## Time when the system clock was last set or correct
+        ## Reference timestamp. Time when the system clock was last set or correct
         ref_time:           time;
-        ## Time at the client when the request departed for the NTP server
+        ## Origin timestamp. Time at the client when the request departed for the NTP server
         org_time:           time;
-        ## Time at the server when the request arrived from the NTP client
+        ## Receive timestamp. Time at the server when the request arrived from the NTP client
         rec_time:           time;
-        ## Time at the server when the response departed for the NTP client
+        ## Transmit timestamp. Time at the server when the response departed for the NTP client
         xmt_time:           time;
         ## Key used to designate a secret MD5 key
         key_id:             count &optional;
@@ -5051,11 +5060,19 @@ export {
         };
 
         ## NTP message as defined in :rfc:`5905`.
-        ## Doesn't include fields for mode 7 (reserved for private use), e.g. monlist
+        ## Does include fields for mode 7, reserved for private use in :rfc:`5905`, but used
+	## in some implementation for commands such as "monlist". 
         type NTP::Message: record {
-        ## The NTP version number (1, 2, 3, 4)
+        ## The NTP version number (1, 2, 3, 4). 
         version:            count;
-        ## The NTP mode being used
+        ## The NTP mode being used. Possible values are:
+	## 1 - symmetric active 
+	## 2 - symmetric passive 
+	## 3 - client
+	## 4 - server 
+	## 5 - broadcast
+	## 6 - NTP control message
+	## 7 - reserved for private use
         mode:               count;
 	## If mode=1-5, the standard fields for syncronization operations are here.
 	## See :rfc:`5905`

From 0ab1f0fe25a5cdcdbfcdbb6adb4cdb29b0864adb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 12 Jun 2019 10:34:27 -0700
Subject: [PATCH 57/91] Updating submodule(s).

 [nomail]
---
 aux/zeek-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/zeek-aux b/aux/zeek-aux
index 9a9b106f9f..892b9e720e 160000
--- a/aux/zeek-aux
+++ b/aux/zeek-aux
@@ -1 +1 @@
-Subproject commit 9a9b106f9f2df702260ce0a6391ad047b37d0e48
+Subproject commit 892b9e720e0770c51bb90ba179522ea504bda7d3

From 0af79a7a16d6f54fb2c35a5a82633c7655ad31dc Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 12 Jun 2019 13:48:56 -0700
Subject: [PATCH 58/91] GH-393: Add slice notation for vectors

---
 src/Expr.cc                                | 35 ++++++++++++++++++----
 src/Type.cc                                |  6 ++--
 testing/btest/Baseline/language.vector/out |  4 +++
 testing/btest/language/vector.zeek         |  7 ++++-
 4 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 1ec357e945..3486ea1d6b 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -2913,8 +2913,8 @@ IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool is_slice)
 
 	if ( is_slice )
 		{
-		if ( ! IsString(op1->Type()->Tag()) )
-			ExprError("slice notation indexing only supported for strings currently");
+		if ( ! IsString(op1->Type()->Tag()) && ! IsVector(op1->Type()->Tag()) )
+			ExprError("slice notation indexing only supported for strings and vectors currently");
 		}
 
 	else if ( IsString(op1->Type()->Tag()) )
@@ -2937,8 +2937,7 @@ IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool is_slice)
 
 	else if ( ! op1->Type()->YieldType() )
 		{
-		if ( IsString(op1->Type()->Tag()) &&
-		     match_type == MATCHES_INDEX_SCALAR )
+		if ( IsString(op1->Type()->Tag()) && match_type == MATCHES_INDEX_SCALAR )
 			SetType(base_type(TYPE_STRING));
 		else
 		// It's a set - so indexing it yields void.  We don't
@@ -3104,7 +3103,33 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 
 	switch ( v1->Type()->Tag() ) {
 	case TYPE_VECTOR:
-		v = v1->AsVectorVal()->Lookup(v2);
+		{
+		VectorVal* vect = v1->AsVectorVal();
+		const ListVal* lv = v2->AsListVal();
+
+		if ( lv->Length() == 1 )
+			v = vect->Lookup(v2);
+		else
+			{
+			int len = vect->Size();
+			VectorVal* result = nullptr;
+
+			bro_int_t first = get_slice_index(lv->Index(0)->CoerceToInt(), len);
+			bro_int_t last = get_slice_index(lv->Index(1)->CoerceToInt(), len);
+			int sub_length = last - first;
+
+			if ( sub_length >= 0 )
+				{
+				result = new VectorVal(vect->Type()->AsVectorType());
+				result->Resize(sub_length);
+
+				for ( int idx = first; idx < last; idx++ )
+					result->Assign(idx - first, vect->Lookup(idx)->Ref());
+				}
+
+			return result;
+			}
+		}
 		break;
 
 	case TYPE_TABLE:
diff --git a/src/Type.cc b/src/Type.cc
index 3fda9aa7ce..094a974255 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1773,10 +1773,12 @@ int VectorType::MatchesIndex(ListExpr*& index) const
 	{
 	expr_list& el = index->Exprs();
 
-	if ( el.length() != 1 )
+	if ( el.length() != 1 && el.length() != 2)
 		return DOES_NOT_MATCH_INDEX;
 
-	if ( el[0]->Type()->Tag() == TYPE_VECTOR )
+	if ( el.length() == 2 )
+		return MATCHES_INDEX_VECTOR;
+	else if ( el[0]->Type()->Tag() == TYPE_VECTOR )
 		return (IsIntegral(el[0]->Type()->YieldType()->Tag()) ||
 			 IsBool(el[0]->Type()->YieldType()->Tag())) ?
 				MATCHES_INDEX_VECTOR : DOES_NOT_MATCH_INDEX;
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index 0fdcc1fa24..d6ead054f1 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -58,3 +58,7 @@ access element (PASS)
 && operator (PASS)
 || operator (PASS)
 += operator (PASS)
+slicing (PASS)
+slicing (PASS)
+slicing (PASS)
+slicing (PASS)
diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek
index 0564e52e4f..c4147b76ad 100644
--- a/testing/btest/language/vector.zeek
+++ b/testing/btest/language/vector.zeek
@@ -168,5 +168,10 @@ event zeek_init()
 	v16 += 40;
 	test_case( "+= operator", all_set(v16 == vector( 10, 20, 30, 40 )) );
 
+	# Slicing tests.
+	local v17 = vector( 1, 2, 3, 4, 5 );
+	test_case( "slicing", all_set(v17[0:2] == vector( 1, 2 )) );
+	test_case( "slicing", all_set(v17[-3:-1] == vector( 3, 4 )) );
+	test_case( "slicing", all_set(v17[:2] == vector( 1, 2 )) );
+	test_case( "slicing", all_set(v17[2:] == vector( 3, 4, 5 )) );
 }
-

From f1383d98c2dbfc76a412f57de806d2d17d86da31 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 12 Jun 2019 14:29:11 -0700
Subject: [PATCH 59/91] Return an empty vector if the indices for slicing don't
 make sense

---
 src/Expr.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 3486ea1d6b..8d5bfcdc83 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3112,7 +3112,7 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 		else
 			{
 			int len = vect->Size();
-			VectorVal* result = nullptr;
+			VectorVal* result = new VectorVal(vect->Type()->AsVectorType());
 
 			bro_int_t first = get_slice_index(lv->Index(0)->CoerceToInt(), len);
 			bro_int_t last = get_slice_index(lv->Index(1)->CoerceToInt(), len);
@@ -3120,7 +3120,6 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 
 			if ( sub_length >= 0 )
 				{
-				result = new VectorVal(vect->Type()->AsVectorType());
 				result->Resize(sub_length);
 
 				for ( int idx = first; idx < last; idx++ )

From 7efc39d2282051242ad2d8002ece73908ee1c39f Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 22 May 2019 14:05:51 -0700
Subject: [PATCH 60/91] Add --sanitizers flag to configure script to enable
 Clang sanitizers

---
 CMakeLists.txt | 6 ++++++
 configure      | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f5edf896c0..2a723ad8c3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -72,6 +72,12 @@ if(${ENABLE_DEBUG})
     set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
 endif()
 
+if (SANITIZERS)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+    set(CMAKE_LD_FLAGS "${CMAKE_LD_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+endif()
+
 ########################################################################
 ## Dependency Configuration
 
diff --git a/configure b/configure
index b1ea7bdff5..a7113e2dc0 100755
--- a/configure
+++ b/configure
@@ -58,6 +58,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --disable-perftools    don't try to build with Google Perftools
     --disable-python       don't try to build python bindings for Broker
     --disable-broker-tests don't try to build Broker unit tests
+    --sanitizers=SANITIZERS comma-separated list of Clang sanitizers to enable
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
@@ -144,6 +145,7 @@ append_cache_entry INSTALL_ZEEKCTL      BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
+append_cache_entry SANITIZERS           STRING ""
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -216,6 +218,9 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_PERFTOOLS     BOOL   true
             append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL   true
             ;;
+        --sanitizers=*)
+            append_cache_entry SANITIZERS    STRING    $optarg
+            ;;
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;

From 965a99a781788aef187869ec17994a006344c3bf Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 23 May 2019 15:41:42 -0700
Subject: [PATCH 61/91] Fix potential null-dereference in current_time()

---
 src/util.cc | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/util.cc b/src/util.cc
index 7a5eb41c5f..2a6a5c37c4 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1507,13 +1507,11 @@ double current_time(bool real)
 
 	double t = double(tv.tv_sec) + double(tv.tv_usec) / 1e6;
 
-	const iosource::Manager::PktSrcList& pkt_srcs(iosource_mgr->GetPktSrcs());
-
-	if ( ! pseudo_realtime || real || pkt_srcs.empty() )
+	if ( ! pseudo_realtime || real || ! iosource_mgr || iosource_mgr->GetPktSrcs().empty() )
 		return t;
 
 	// This obviously only works for a single source ...
-	iosource::PktSrc* src = pkt_srcs.front();
+	iosource::PktSrc* src = iosource_mgr->GetPktSrcs().front();
 
 	if ( net_is_processing_suspended() )
 		return src->CurrentPacketTimestamp();

From 3a8b83ca252c2efcc7acf9fbf3cc87b8d01c44c4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 12 Jun 2019 16:21:07 -0700
Subject: [PATCH 62/91] Updating submodule(s).

 [nomail]
---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index abf68ae3b4..59075e5b0c 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit abf68ae3b4c924c79d441ed16c9e0207ba0164aa
+Subproject commit 59075e5b0ced031c0c07b88beb41fab96675b59d

From 964e2c91a3e5330431eb6d82e7e0b901a6fe1f00 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Jun 2019 13:36:10 -0700
Subject: [PATCH 63/91] Check for integral slice indexes, add extra test for
 [:]

---
 src/parse.y                                | 2 ++
 testing/btest/Baseline/language.vector/out | 1 +
 testing/btest/language/vector.zeek         | 1 +
 3 files changed, 4 insertions(+)

diff --git a/src/parse.y b/src/parse.y
index 2861b95dc8..07a544bb64 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -484,6 +484,8 @@ expr:
 			set_location(@1, @6);
 			Expr* low = $3 ? $3 : new ConstExpr(val_mgr->GetCount(0));
 			Expr* high = $5 ? $5 : new SizeExpr($1);
+			if ( ! IsIntegral(low->Type()->Tag()) || ! IsIntegral(high->Type()->Tag()) )
+				reporter->FatalError("slice notation must have integral values as indexes");
 			ListExpr* le = new ListExpr(low);
 			le->Append(high);
 			$$ = new IndexExpr($1, le, true);
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index d6ead054f1..9e12403ef7 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -62,3 +62,4 @@ slicing (PASS)
 slicing (PASS)
 slicing (PASS)
 slicing (PASS)
+slicing (PASS)
diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek
index c4147b76ad..04218eb023 100644
--- a/testing/btest/language/vector.zeek
+++ b/testing/btest/language/vector.zeek
@@ -174,4 +174,5 @@ event zeek_init()
 	test_case( "slicing", all_set(v17[-3:-1] == vector( 3, 4 )) );
 	test_case( "slicing", all_set(v17[:2] == vector( 1, 2 )) );
 	test_case( "slicing", all_set(v17[2:] == vector( 3, 4, 5 )) );
+	test_case( "slicing", all_set(v17[:] == v17) );
 }

From 23f9fb0ae92b182e645ed52e729ff33575513cf4 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 13 Jun 2019 15:37:31 -0700
Subject: [PATCH 64/91] Allow assignment for vectors using slices

---
 src/Expr.cc                                | 22 +++++++++++++++++++++-
 testing/btest/Baseline/language.vector/out |  2 ++
 testing/btest/language/vector.zeek         |  4 ++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 8d5bfcdc83..768d70ef0b 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3199,7 +3199,26 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 
 	switch ( v1->Type()->Tag() ) {
 	case TYPE_VECTOR:
-		if ( ! v1->AsVectorVal()->Assign(v2, v, op) )
+		{
+		const ListVal *lv = v2->AsListVal();
+
+		if ( lv->Length() > 1 )
+			{
+			int len = v1->AsVectorVal()->Size();
+			bro_int_t first = get_slice_index(lv->Index(0)->CoerceToInt(), len);
+			bro_int_t last = get_slice_index(lv->Index(1)->CoerceToInt(), len);
+			int slice_length = last - first;
+
+			const VectorVal *v_vect = v->AsVectorVal();
+			if ( slice_length != v_vect->Size())
+				RuntimeError("vector being assigned to slice does not match size of slice");
+			else if ( slice_length >= 0 )
+				{
+				for ( int idx = first; idx < last; idx++ )
+					v1->AsVectorVal()->Assign(idx, v_vect->Lookup(idx - first)->Ref(), op);
+				}
+			}
+		else if ( !v1->AsVectorVal()->Assign(v2, v, op))
 			{
 			if ( v )
 				{
@@ -3216,6 +3235,7 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 				RuntimeErrorWithCallStack("assignment failed with null value");
 			}
 		break;
+		}
 
 	case TYPE_TABLE:
 		if ( ! v1->AsTableVal()->Assign(v2, v, op) )
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index 9e12403ef7..cfd9b75413 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -63,3 +63,5 @@ slicing (PASS)
 slicing (PASS)
 slicing (PASS)
 slicing (PASS)
+slicing assignment (PASS)
+slicing assignment (PASS)
diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek
index 04218eb023..e8b3f68e76 100644
--- a/testing/btest/language/vector.zeek
+++ b/testing/btest/language/vector.zeek
@@ -175,4 +175,8 @@ event zeek_init()
 	test_case( "slicing", all_set(v17[:2] == vector( 1, 2 )) );
 	test_case( "slicing", all_set(v17[2:] == vector( 3, 4, 5 )) );
 	test_case( "slicing", all_set(v17[:] == v17) );
+	v17[0:1] = vector(6);
+	test_case( "slicing assignment", all_set(v17 == vector(6, 2, 3, 4, 5)) );
+	v17[2:4] = vector(7, 8);
+	test_case( "slicing assignment", all_set(v17 == vector(6, 2, 7, 8, 5)) );
 }

From 32663cec04775abc6c4d07349f0161642d5c23e8 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Fri, 14 Jun 2019 12:30:29 +0200
Subject: [PATCH 65/91] Apply requested changes: - file dpd.sig and TODO
 comments for signature protocol detection removed - missing doc field filled
 in events.bif - rename OpCode and ReqCode fields into op_code and req_code
 respectively - removed unnecessary child method in NTP.h/.cc - main.zeek and
 ntp-protocol.pac reformatted

---
 scripts/base/init-bare.zeek                |   4 +-
 scripts/base/protocols/ntp/__load__.zeek   |   1 -
 scripts/base/protocols/ntp/dpd.sig         |  12 -
 scripts/base/protocols/ntp/main.zeek       | 312 ++++++++++-----------
 src/analyzer/protocol/ntp/NTP.cc           |   5 -
 src/analyzer/protocol/ntp/NTP.h            |   1 -
 src/analyzer/protocol/ntp/events.bif       |   2 +-
 src/analyzer/protocol/ntp/ntp-protocol.pac | 140 ++++-----
 8 files changed, 229 insertions(+), 248 deletions(-)
 delete mode 100644 scripts/base/protocols/ntp/dpd.sig

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 97f9fea557..71f572e028 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4995,7 +4995,7 @@ export {
 	## 6 set trap address/port command/response
 	## 7 trap response
 	## Other values are reserved.
-        OpCode     	: count;
+        op_code     	: count;
 	## The response bit. Set to zero for commands, one for responses.
         resp_bit        : bool;
         ## The error bit. Set to zero for normal response, one for error response.
@@ -5029,7 +5029,7 @@ export {
         ## An implementation-specific code which specifies the
 	## operation to be (which has been) performed and/or the
 	## format and semantics of the data included in the packet.
-        ReqCode		: count;
+        req_code		: count;
         ## The authenticated bit. If set, this packet is authenticated.
         auth_bit        : bool;
         ## For a multipacket response, contains the sequence
diff --git a/scripts/base/protocols/ntp/__load__.zeek b/scripts/base/protocols/ntp/__load__.zeek
index 16ffbbf380..a10fe855df 100644
--- a/scripts/base/protocols/ntp/__load__.zeek
+++ b/scripts/base/protocols/ntp/__load__.zeek
@@ -1,2 +1 @@
 @load ./main
-#@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ntp/dpd.sig b/scripts/base/protocols/ntp/dpd.sig
deleted file mode 100644
index 3c755ecc4f..0000000000
--- a/scripts/base/protocols/ntp/dpd.sig
+++ /dev/null
@@ -1,12 +0,0 @@
-signature dpd_ntp {
-
- 	ip-proto == udp
-
-
- 	# ## TODO: Define the payload. When Bro sees this regex, on
-	# ## any port, it will enable your analyzer on that
-	# ## connection.
-	# ## payload /^NTP/
-
- 	enable "ntp"
-}
diff --git a/scripts/base/protocols/ntp/main.zeek b/scripts/base/protocols/ntp/main.zeek
index 40b2b9caf0..cebc3e7184 100644
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@@ -1,138 +1,137 @@
 module NTP;
 
-# TODO: The recommended method to do dynamic protocol detection
-# (DPD) is with the signatures in dpd.sig. 
 # For the time being, we use port detection. 
 const ports = { 123/udp };
 redef likely_server_ports += { ports };
 
 export {
-        redef enum Log::ID += { LOG };
+	redef enum Log::ID += { LOG };
 
-        type Info: record {
-                ## Timestamp for when the event happened.
-                ts:     	time    &log;
-                ## Unique ID for the connection.
-                uid:    	string  &log;
-                ## The connection's 4-tuple of endpoint addresses/ports.
-                id:     	conn_id &log;
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:		time	&log;
+		## Unique ID for the connection.
+		uid:		string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:		conn_id &log;
 		## The NTP version number (1, 2, 3, 4)
-        	version:	count &log;
-        	## The NTP mode being used
-                mode:		count &log;
-        	## The stratum (primary server, secondary server, etc.)
-        	stratum:	count &log;
-        	## The maximum interval between successive messages
-        	poll:		interval &log;
-        	## The precision of the system clock
-        	precision:	interval &log;
-        	## Total round-trip delay to the reference clock
-        	root_delay:	interval &log;
-        	## Total dispersion to the reference clock
-        	root_disp:	interval &log;
-        	## For stratum 0, 4 character string used for debugging
-        	kiss_code:	string &optional &log;
-        	## For stratum 1, ID assigned to the reference clock by IANA
-        	ref_id:         string &optional &log;
-        	## Above stratum 1, when using IPv4, the IP address of the reference clock
-        	ref_addr:	addr &optional &log;
-        	## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
-        	## IPv6 address of the reference clock
-        	ref_v6_hash_prefix: string &optional &log;
-        	## Time when the system clock was last set or correct
-        	ref_time:	time &log;
-        	## Time at the client when the request departed for the NTP server
-        	org_time:	time &log;
-        	## Time at the server when the request arrived from the NTP client
-        	rec_time:	time &log;
-        	## Time at the server when the response departed for the NTP client
-        	xmt_time:	time &log;
-        	## Key used to designate a secret MD5 key
-        	key_id:		count &optional &log;
-        	## MD5 hash computed over the key followed by the NTP packet header and extension fields
-        	digest:		string &optional &log;
-        	## Number of extension fields  (which are not currently parsed)
-        	num_exts:	count &default=0 &log;
+		version:	count &log;
+		## The NTP mode being used
+		mode:		count &log;
+		## The stratum (primary server, secondary server, etc.)
+		stratum:	count &log;
+		## The maximum interval between successive messages
+		poll:		interval &log;
+		## The precision of the system clock
+		precision:	interval &log;
+		## Total round-trip delay to the reference clock
+		root_delay:	interval &log;
+		## Total dispersion to the reference clock
+		root_disp:	interval &log;
+		## For stratum 0, 4 character string used for debugging
+		kiss_code:	string &optional &log;
+		## For stratum 1, ID assigned to the reference clock by IANA
+		ref_id:		string &optional &log;
+		## Above stratum 1, when using IPv4, the IP address of the reference clock
+		ref_addr:	addr &optional &log;
+		## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
+		## IPv6 address of the reference clock
+		ref_v6_hash_prefix: string &optional &log;
+		## Time when the system clock was last set or correct
+		ref_time:	time &log;
+		## Time at the client when the request departed for the NTP server
+		org_time:	time &log;
+		## Time at the server when the request arrived from the NTP client
+		rec_time:	time &log;
+		## Time at the server when the response departed for the NTP client
+		xmt_time:	time &log;
+		## Key used to designate a secret MD5 key
+		key_id:		count &optional &log;
+		## MD5 hash computed over the key followed by the NTP packet header and extension fields
+		digest:		string &optional &log;
+		## Number of extension fields  (which are not currently parsed)
+		num_exts:	count &default=0 &log;
 
-        	## An integer specifying the command function. Values currently defined includes:
-        	## 1 read status command/response
-        	## 2 read variables command/response
-        	## 3 write variables command/response
-        	## 4 read clock variables command/response
-        	## 5 write clock variables command/response
-        	## 6 set trap address/port command/response
-        	## 7 trap response
-        	## Other values are reserved.
-        	OpCode          : count &log;
-        	## The response bit. Set to zero for commands, one for responses.
-        	resp_bit        : bool &log;
-        	## The error bit. Set to zero for normal response, one for error response.
-		err_bit         : bool &log;
-        	## The more bit. Set to zero for last fragment, one for all others.
-	        more_bit        : bool &log;
-        	## The sequence number of the command or response
-	        sequence        : count &log;
-        	## The current status of the system, peer or clock
-	        status          : count &log;    
-        	## A 16-bit integer identifying a valid association
-	        association_id  : count &log;
-	        ## This is an integer identifying the cryptographic
-	        ## key used to generate the message-authentication code
-        	ctrl_key_id          : count &optional &log;
-        	## This is a crypto-checksum computed by the encryption procedure
-        	crypto_checksum : string &optional &log;
+		## An integer specifying the command function. Values currently defined includes:
+		## 1 read status command/response
+		## 2 read variables command/response
+		## 3 write variables command/response
+		## 4 read clock variables command/response
+		## 5 write clock variables command/response
+		## 6 set trap address/port command/response
+		## 7 trap response
+		## Other values are reserved.
+		op_code	  : count &log;
+		## The response bit. Set to zero for commands, one for responses.
+		resp_bit	: bool &log;
+		## The error bit. Set to zero for normal response, one for error response.
+		err_bit	 : bool &log;
+		## The more bit. Set to zero for last fragment, one for all others.
+		more_bit	: bool &log;
+		## The sequence number of the command or response
+		sequence	: count &log;
+		## The current status of the system, peer or clock
+		status	  : count &log;
+		## A 16-bit integer identifying a valid association
+		association_id  : count &log;
+		## This is an integer identifying the cryptographic
+		## key used to generate the message-authentication code
+		ctrl_key_id	  : count &optional &log;
+		## This is a crypto-checksum computed by the encryption procedure
+		crypto_checksum : string &optional &log;
 	
 
 		## An implementation-specific code which specifies the
 		## operation to be (which has been) performed and/or the
 		## format and semantics of the data included in the packet.
-        	ReqCode         : count &log;
-        	## The authenticated bit. If set, this packet is authenticated.
-        	auth_bit        : bool &log;
-        	## For a multipacket response, contains the sequence
-       		## number of this packet.  0 is the first in the sequence,
-        	## 127 (or less) is the last.  The More Bit must be set in
-        	## all packets but the last.
-        	sequence        : count &log;
-        	## The number of the implementation this request code
-        	## is defined by.  An implementation number of zero is used
-        	## for requst codes/data formats which all implementations
-        	## agree on.  Implementation number 255 is reserved (for
-        	## extensions, in case we run out).
-        	implementation  : count &log;
-        	##  Must be 0 for a request.  For a response, holds an error
-        	##  code relating to the request.  If nonzero, the operation
-        	##  requested wasn't performed.
-        	##
-        	##               0 - no error
-        	##               1 - incompatible implementation number
-        	##               2 - unimplemented request code
-        	##               3 - format error (wrong data items, data size, packet size etc.)
-        	##               4 - no data available (e.g. request for details on unknown peer)
-        	##               5-6 I don't know
-        	##               7 - authentication failure (i.e. permission denied)
-        	err             : count &log;
+		req_code	 : count &log;
+		## The authenticated bit. If set, this packet is authenticated.
+		auth_bit	: bool &log;
+		## For a multipacket response, contains the sequence
+		## number of this packet.  0 is the first in the sequence,
+		## 127 (or less) is the last.  The More Bit must be set in
+		## all packets but the last.
+		sequence	: count &log;
+		## The number of the implementation this request code
+		## is defined by.  An implementation number of zero is used
+		## for requst codes/data formats which all implementations
+		## agree on.  Implementation number 255 is reserved (for
+		## extensions, in case we run out).
+		implementation  : count &log;
+		##  Must be 0 for a request.  For a response, holds an error
+		##  code relating to the request.  If nonzero, the operation
+		##  requested wasn't performed.
+		##
+		##	0 - no error
+		##	1 - incompatible implementation number
+		##	2 - unimplemented request code
+		##	3 - format error (wrong data items, data size, packet size etc.)
+		##	4 - no data available (e.g. request for details on unknown peer)
+		##	5-6 I don't know
+		##	7 - authentication failure (i.e. permission denied)
+		err		: count &log;
 	};
 
-        ## Event that can be handled to access the NTP record as it is sent on
-        ## to the logging framework.
-        global log_ntp: event(rec: Info);
+	## Event that can be handled to access the NTP record as it is sent on
+	## to the logging framework.
+	global log_ntp: event(rec: Info);
 }
 
 redef record connection += {
-        ntp: Info &optional;
+	ntp: Info &optional;
 };
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
-{
+	{
 	local info: Info;
-	  info$ts  = network_time();
-	  info$uid = c$uid;
-	  info$id  = c$id;
-	  info$version = msg$version;
-          info$mode = msg$mode;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$version = msg$version;
+	info$mode = msg$mode;
 
-	  if ( msg$mode < 6 ) { 
+	if ( msg$mode < 6 ) 
+		{ 
  		info$stratum = msg$std_msg$stratum;
 		info$poll =  msg$std_msg$poll;
 		info$precision =  msg$std_msg$precision;
@@ -141,69 +140,70 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 
 		if ( msg$std_msg?$kiss_code) 
 			info$kiss_code =  msg$std_msg$kiss_code;
-                if ( msg$std_msg?$ref_id)
-                        info$ref_id =  msg$std_msg$ref_id;
-                if ( msg$std_msg?$ref_addr)
-                        info$ref_addr =  msg$std_msg$ref_addr;
-                if ( msg$std_msg?$ref_v6_hash_prefix)
-                        info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
+		if ( msg$std_msg?$ref_id)
+			info$ref_id =  msg$std_msg$ref_id;
+		if ( msg$std_msg?$ref_addr)
+			info$ref_addr =  msg$std_msg$ref_addr;
+		if ( msg$std_msg?$ref_v6_hash_prefix)
+			info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
 
-                info$ref_time =  msg$std_msg$ref_time;
-                info$org_time =  msg$std_msg$org_time;
-                info$rec_time =  msg$std_msg$rec_time;
-                info$xmt_time =  msg$std_msg$xmt_time;
+		info$ref_time =  msg$std_msg$ref_time;
+		info$org_time =  msg$std_msg$org_time;
+		info$rec_time =  msg$std_msg$rec_time;
+		info$xmt_time =  msg$std_msg$xmt_time;
 
-                if ( msg$std_msg?$key_id)
-                        info$key_id =  msg$std_msg$key_id;
-                if ( msg$std_msg?$digest)
-                        info$digest =  msg$std_msg$digest;
+		if ( msg$std_msg?$key_id)
+			info$key_id =  msg$std_msg$key_id;
+		if ( msg$std_msg?$digest)
+			info$digest =  msg$std_msg$digest;
 
 		info$num_exts =  msg$std_msg$num_exts;
-	  }
+		}
 
-          if ( msg$mode==6 ) {
-             info$OpCode = msg$control_msg$OpCode;
-             info$resp_bit = msg$control_msg$resp_bit;
-             info$err_bit = msg$control_msg$err_bit;
-             info$more_bit = msg$control_msg$more_bit;
-             info$sequence = msg$control_msg$sequence;
-             info$status = msg$control_msg$status;
-             info$association_id = msg$control_msg$association_id;
+	if ( msg$mode==6 ) 
+		{
+		info$op_code = msg$control_msg$op_code;
+		info$resp_bit = msg$control_msg$resp_bit;
+		info$err_bit = msg$control_msg$err_bit;
+		info$more_bit = msg$control_msg$more_bit;
+		info$sequence = msg$control_msg$sequence;
+		info$status = msg$control_msg$status;
+		info$association_id = msg$control_msg$association_id;
 
-                if ( msg$control_msg?$key_id)
-                        info$ctrl_key_id =  msg$control_msg$key_id;
-                if ( msg$control_msg?$crypto_checksum)
-                        info$crypto_checksum =  msg$control_msg$crypto_checksum;
+		if ( msg$control_msg?$key_id)
+			info$ctrl_key_id =  msg$control_msg$key_id;
+		if ( msg$control_msg?$crypto_checksum)
+			info$crypto_checksum =  msg$control_msg$crypto_checksum;
+		}
 
-	  }
+	if ( msg$mode==7 ) 
+		{
+		info$req_code = msg$mode7_msg$req_code;
+		info$auth_bit = msg$mode7_msg$auth_bit;
+		info$sequence = msg$mode7_msg$sequence;
+		info$implementation = msg$mode7_msg$implementation;
+		info$err = msg$mode7_msg$err;
+		}
 
-          if ( msg$mode==7 ) {
-             info$ReqCode = msg$mode7_msg$ReqCode;
-	     info$auth_bit = msg$mode7_msg$auth_bit;
-	     info$sequence = msg$mode7_msg$sequence;
-	     info$implementation = msg$mode7_msg$implementation;
-	     info$err = msg$mode7_msg$err;
-	  }
-
-        # Copy the present packet info into the connection record
+	# Copy the present packet info into the connection record
 	# If more ntp packets are sent on the same connection, the newest one
 	# will overwrite the previous
 	c$ntp = info;
 
 	# Add the service to the Conn::LOG
 	add c$service["ntp"];
-}
+	}
 
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
-{
-        # Log every ntp packet into ntp.log
-        Log::write(NTP::LOG, c$ntp);
-}
+	{
+	# Log every ntp packet into ntp.log
+	Log::write(NTP::LOG, c$ntp);
+	}
 
 event zeek_init() &priority=5
-{
-    Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
 
-    Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
-}
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+	}
 
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
index 9a88138206..9c44e7b526 100644
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -17,11 +17,6 @@ NTP_Analyzer::~NTP_Analyzer()
 	delete interp;
 	}
 
-void NTP_Analyzer::Done()
-	{
-	Analyzer::Done();
-	}
-
 void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
 				    bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index c155fb3135..b43e51217b 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -16,7 +16,6 @@ public:
 	~NTP_Analyzer() override;
 
 	// Overriden from Analyzer.
-	void Done() override;
 	void DeliverPacket(int len, const u_char* data, bool orig,
 					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
diff --git a/src/analyzer/protocol/ntp/events.bif b/src/analyzer/protocol/ntp/events.bif
index b9f66a1160..3ed214db0f 100644
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@@ -6,7 +6,7 @@
 ##
 ## c: The connection record describing the corresponding UDP flow.
 ##
-## is_orig: 
+## is_orig: True if the message was sent by the originator.
 ##
 ## msg: The parsed NTP message.
 ##
diff --git a/src/analyzer/protocol/ntp/ntp-protocol.pac b/src/analyzer/protocol/ntp/ntp-protocol.pac
index 55b09a0ce7..9679256a7e 100644
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@@ -3,52 +3,52 @@
 type NTP_PDU(is_orig: bool) = record {
 	# The first byte of the NTP header contains the leap indicator,
 	# the version and the mode
-	first_byte     	: uint8;
-  	# Modes 1-5 are standard NTP time sync
-  	standard_modes  : case (mode>=1 && mode<=5) of {
-  		true  	-> std		: NTP_std_msg;
-    		false 	-> emp		: empty;
-  	};
-  	modes_6_7     	: case (mode) of {
+	first_byte	: uint8;
+		# Modes 1-5 are standard NTP time sync
+	standard_modes	: case (mode>=1 && mode<=5) of {
+		true	-> std		: NTP_std_msg;
+ 		false 	-> emp		: empty;
+	};
+	modes_6_7	: case (mode) of {
 		# mode 6 is for control messages (format is different from modes 6-7)
-    		6 	-> control 	: NTP_control_msg;
+ 		6 	-> control 	: NTP_control_msg;
 		# mode 7 is reserved or private (and implementation dependent). For example used for some commands such as MONLIST 
-    		7 	-> mode7  	: NTP_mode7_msg;
-  		default -> unknown	: bytestring &restofdata;
-  	};
+ 		7 	-> mode7	: NTP_mode7_msg;
+		default -> unknown	: bytestring &restofdata;
+	};
 } &let {
-	leap	:	uint8  = (first_byte & 0xc0)>>6;   	# First 2 bits of 8-bits value
-	version	:	uint8  = (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
-	mode	:	uint8  = (first_byte & 0x07);  		# Bits 6-8 of 8-bits value
+	leap	:	uint8	= (first_byte & 0xc0)>>6;	# First 2 bits of 8-bits value
+	version	:	uint8	= (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
+	mode	:	uint8	= (first_byte & 0x07);		# Bits 6-8 of 8-bits value
 } &byteorder=bigendian &exportsourcedata;
 
 # This is the most common type of message, corresponding to modes 1-5
 # This kind of msg are used for normal operation of syncronization
 # See RFC 5905 for details
 type NTP_std_msg = record {
-        stratum        : uint8;
-        poll           : int8;
-        precision      : int8;
+	stratum		: uint8;
+	poll		: int8;
+	precision	: int8;
 
-        root_delay     : NTP_Short_Time;
-        root_dispersion: NTP_Short_Time;
-        reference_id   : bytestring &length=4;
-        reference_ts   : NTP_Time;
+	root_delay	: NTP_Short_Time;
+	root_dispersion	: NTP_Short_Time;
+	reference_id	: bytestring &length=4;
+	reference_ts	: NTP_Time;
 
-        origin_ts      : NTP_Time;
-        receive_ts     : NTP_Time;
-        transmit_ts    : NTP_Time;
-        extensions     : case (has_exts) of {
-				true  -> exts	: Extension_Field[] &until($input.length() > 24); 
-				false -> nil 	: empty;
-                         } &requires(has_exts);
-        mac_fields     : case (mac_len) of {
-                                20	-> mac		: NTP_MAC;
-                                24 	-> mac_ext 	: NTP_MAC_ext;
-                                default -> nil2 	: empty;
-                         } &requires(mac_len);
+	origin_ts	: NTP_Time;
+	receive_ts	: NTP_Time;
+	transmit_ts	: NTP_Time;
+	extensions	: case (has_exts) of {
+				true	-> exts	: Extension_Field[] &until($input.length() > 24); 
+				false	-> nil 	: empty;
+			 } &requires(has_exts);
+	mac_fields	: case (mac_len) of {
+				20	-> mac		: NTP_MAC;
+				24 	-> mac_ext 	: NTP_MAC_ext;
+				default -> nil2 	: empty;
+			 } &requires(mac_len);
 } &let {
-        length          = sourcedata.length();
+	length		= sourcedata.length();
 	has_exts: bool	= (length - offsetof(extensions)) > 24;
 	mac_len: uint32	= (length - offsetof(mac_fields));
 } &byteorder=bigendian &exportsourcedata;
@@ -56,24 +56,24 @@ type NTP_std_msg = record {
 # This format is for mode==6, control msg
 # See RFC 1119 for details
 type NTP_control_msg = record {
-        second_byte	: uint8;
-        sequence	: uint16;
-        status      	: uint16;    #TODO: this can be further parsed internally
-        association_id	: uint16;
-        offs		: uint16;
-        c	   	: uint16;
+	second_byte	: uint8;
+	sequence	: uint16;
+	status		: uint16;	#TODO: this can be further parsed internally
+	association_id	: uint16;
+	offs		: uint16;
+	c		: uint16;
 	data		: bytestring &length=c;
-        mac_fields	: case (has_control_mac) of {
-                                true  -> mac : NTP_CONTROL_MAC;
-                                false -> nil : empty;
-                         } &requires(has_control_mac);
+	mac_fields	: case (has_control_mac) of {
+				true	-> mac : NTP_CONTROL_MAC;
+				false	-> nil : empty;
+			 } &requires(has_control_mac);
 } &let {
-        R	: bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
-        E	: bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
-        M	: bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
-        OpCode	: uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
-        length	= sourcedata.length();
-        has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
+	R	: bool	= (second_byte & 0x80) > 0;	# First bit of 8-bits value
+	E	: bool	= (second_byte & 0x40) > 0;	# Second bit of 8-bits value
+	M	: bool	= (second_byte & 0x20) > 0;	# Third bit of 8-bits value
+	OpCode	: uint8	= (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+	length	= sourcedata.length();
+	has_control_mac: bool	= (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;
 
 # As in RFC 5905
@@ -90,35 +90,35 @@ type NTP_MAC_ext = record {
 
 # As in RFC 1119
 type NTP_CONTROL_MAC = record {
-        key_id		: uint32;
-     	crypto_checksum	: bytestring &length=8;
+	key_id		: uint32;
+	crypto_checksum	: bytestring &length=8;
 } &length=12;
 
 # As defined in RFC 5906
 type Extension_Field = record {
-  first_byte_ext: uint8;
-  field_type	: uint8;
-  len		: uint16;
-  association_id: uint16;
-  timestamp	: uint32;
-  filestamp	: uint32;
-  value_len	: uint32;
-  value		: bytestring &length=value_len;
-  sig_len	: uint32;
-  signature	: bytestring &length=sig_len;
-  pad		: padding to (len - offsetof(first_byte_ext));
+	first_byte_ext: uint8;
+	field_type	: uint8;
+	len		: uint16;
+	association_id	: uint16;
+	timestamp	: uint32;
+	filestamp	: uint32;
+	value_len	: uint32;
+	value		: bytestring &length=value_len;
+	sig_len		: uint32;
+	signature	: bytestring &length=sig_len;
+	pad		: padding to (len - offsetof(first_byte_ext));
 } &let {
-        R:	bool   = (first_byte_ext & 0x80) > 0;	# First bit of 8-bits value
-        E:	bool   = (first_byte_ext & 0x40) > 0;	# Second bit of 8-bits value
-        Code:	uint8  = (first_byte_ext & 0x3F);	# Last 6 bits of 8-bits value
+	R:	bool	= (first_byte_ext & 0x80) > 0;	# First bit of 8-bits value
+	E:	bool	= (first_byte_ext & 0x40) > 0;	# Second bit of 8-bits value
+	Code:	uint8	= (first_byte_ext & 0x3F);	# Last 6 bits of 8-bits value
 };
 
 type NTP_Short_Time = record {
-  seconds	: int16;
-  fractions	: int16;
+	seconds	: int16;
+	fractions	: int16;
 };
 
 type NTP_Time = record {
-  seconds	: uint32;
-  fractions	: uint32;
+	seconds	: uint32;
+	fractions	: uint32;
 };

From 3e7532e76048005aaaff9f490078039fa54a1ad3 Mon Sep 17 00:00:00 2001
From: Mauro Palumbo <mauropalumbo75@gmail.com>
Date: Fri, 14 Jun 2019 14:00:33 +0200
Subject: [PATCH 66/91] update tests baseline

---
 .../ntp.log                                    |  6 +++---
 .../scripts.base.protocols.ntp.ntp/ntp.log     |  6 +++---
 .../scripts.base.protocols.ntp.ntp2/.stdout    |  2 +-
 .../scripts.base.protocols.ntp.ntp2/ntp.log    |  6 +++---
 .../scripts.base.protocols.ntp.ntp3/ntp.log    |  6 +++---
 .../.stdout                                    | 18 +++++++++---------
 .../ntp.log                                    | 18 +++++++++---------
 7 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
index 7b687745d5..67a1f539d6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp-digest/ntp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-06-14-43-28
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#open	2019-06-14-10-32-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	op_code	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	req_code	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
 1495804929.483801	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.026230	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495804929.482904	1	\xac\x01{i\x91\\\xe5\xa7\xa9\xfbs\xac\x8b\xd1`;	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1495804987.484143	CHhAvVGS1DHFjwGM9	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.027100	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495804987.483591	1	3\x03\x03\xf0\xaa\x15`\xf5i\xd8=\xfa\x10S\x80\xd4	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
@@ -46,4 +46,4 @@
 1495806080.498110	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043488	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806080.498132	1	\xe0\xa3^\x9ck*qa\x85\x1aVA|bJA	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1495806100.498331	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.043793	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806100.498395	1	;\x03\xae\x8a\xf1}ABj\x87\xa0\xf4\xa8C\xd7\x9f	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1495806130.498492	CtPZjS20MLrsMUOJi2	2003:51:6012:121::2	123	2003:51:6012:110::dcf7:123	123	4	3	2	64.000000	0.000000	0.002213	0.044235	-	-	182.165.128.219	-	1495804247.476651	0.000000	0.000000	1495806130.498813	1	\x1e\xa7\xc3\xd2\xe3\x0e\x08!\x8f\xe3Z$&B\x96\x13	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-06-14-43-28
+#close	2019-06-14-10-32-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
index f69cae6089..1d8ff5f21f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp/ntp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-06-14-36-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#open	2019-06-14-10-32-45
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	op_code	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	req_code	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
 1559246614.027454	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.024170	-	-	85.199.214.99	-	1559246556.073681	1559246548.048352	1559246548.076756	1559246614.027421	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246614.074475	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.071350	-	-	105.237.207.28	-	1559245852.721794	1559246614.027421	1559246614.048376	1559246614.048407	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
@@ -38,4 +38,4 @@
 1559246626.075079	Ck51lg1bScffFj34Ri	192.168.43.118	123	147.135.207.213	123	4	4	2	64.000000	0.000008	0.042236	0.037491	-	-	212.7.1.132	-	1559245356.576177	1559246626.027432	1559246626.058084	1559246626.058151	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246627.027502	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	3	2	64.000000	0.000000	0.046280	0.024368	-	-	85.199.214.99	-	1559246556.073681	1559246560.040576	1559246560.064668	1559246627.027459	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246627.073485	CNnMIj2QSd84NKf7U3	192.168.43.118	123	80.211.88.132	123	3	4	3	64.000000	0.000001	0.011765	0.001526	-	-	185.19.184.35	-	1559245638.390748	1559246627.027459	1559246627.050401	1559246627.050438	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-06-14-36-13
+#close	2019-06-14-10-32-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
index 64f538e4b5..3ec1956dc8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/.stdout
@@ -32,4 +32,4 @@ ntp_message 192.168.43.118 -> 80.211.155.206:123 [version=4, mode=4, std_msg=[st
 ntp_message 192.168.43.118 -> 147.135.207.213:123 [version=4, mode=4, std_msg=[stratum=2, poll=64.0, precision=0.000008, root_delay=0.042236, root_disp=0.041595, kiss_code=<uninitialized>, ref_id=<uninitialized>, ref_addr=212.7.1.132, ref_v6_hash_prefix=<uninitialized>, ref_time=1559245356.576177, org_time=1559246900.027439, rec_time=1559246900.103765, xmt_time=1559246900.103887, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=3, std_msg=[stratum=0, poll=16.0, precision=0.015625, root_delay=1.0, root_disp=1.0, kiss_code=\x00\x00\x00\x00, ref_id=<uninitialized>, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=0.0, org_time=0.0, rec_time=0.0, xmt_time=1101309131.444112, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
 ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=4, mode=4, std_msg=[stratum=1, poll=16.0, precision=0, root_delay=0.0, root_disp=0.000122, kiss_code=<uninitialized>, ref_id=CTD\x00, ref_addr=<uninitialized>, ref_v6_hash_prefix=<uninitialized>, ref_time=1559246910.937978, org_time=1101309131.444112, rec_time=1559246940.281161, xmt_time=1559246940.281191, key_id=<uninitialized>, digest=<uninitialized>, num_exts=0], control_msg=<uninitialized>, mode7_msg=<uninitialized>]
-ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
+ntp_message 192.168.43.118 -> 193.204.114.232:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[req_code=42, auth_bit=F, sequence=0, implementation=3, err=0, data=<uninitialized>]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
index b8e53bc43b..8e104dfe4c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp2/ntp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-06-14-36-21
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#open	2019-06-14-10-32-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	op_code	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	req_code	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
 1559246885.027478	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	3	2	64.000000	0.000000	0.046280	0.028229	-	-	85.199.214.99	-	1559246556.073681	1559246818.058351	1559246818.079217	1559246885.027449	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246885.088815	CHhAvVGS1DHFjwGM9	192.168.43.118	123	80.211.52.109	123	4	4	4	64.000000	0.000000	0.048843	0.075409	-	-	105.237.207.28	-	1559245852.721794	1559246885.027449	1559246885.069212	1559246885.069247	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
@@ -41,4 +41,4 @@
 1559246940.262220	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	3	0	16.000000	0.015625	1.000000	1.000000	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1101309131.444112	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246940.304152	C7fIlMZDuRiqjpYbb	192.168.43.118	58229	193.204.114.232	123	4	4	1	16.000000	0.000000	0.000000	0.000122	-	CTD\x00	-	-	1559246910.937978	1101309131.444112	1559246940.281161	1559246940.281191	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1559246940.486493	CykQaM33ztNt0csB9a	192.168.43.118	43046	193.204.114.232	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	42	F	-	3	0
-#close	2019-06-06-14-36-21
+#close	2019-06-14-10-32-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
index 38d0a32f16..0a96df548f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntp3/ntp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-06-14-36-29
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#open	2019-06-14-10-32-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	op_code	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	req_code	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
 1096255084.954975	ClEkJM2Vm5giqnMf4h	192.168.50.50	123	67.129.68.9	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1096255084.955306	C4J4Th3PJpwUYZZ6gc	192.168.50.50	123	69.44.57.60	123	3	1	0	1024.000000	0.015625	0.000000	1.010010	\x00\x00\x00\x00	-	-	-	0.000000	0.000000	0.000000	1096255084.922896	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
@@ -36,4 +36,4 @@
 1096255085.522297	CwjjYJ2WqgTbAqiHl6	192.168.50.50	123	64.112.189.11	123	3	2	2	1024.000000	0.000015	0.081268	0.029877	-	-	128.10.252.6	-	1096254706.140290	1096255084.922896	1096255083.850451	1096255083.850465	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1096255085.562197	CmES5u32sYpV7JYN	192.168.50.50	123	216.27.185.42	123	3	2	2	1024.000000	0.000004	0.029846	0.045456	-	-	164.67.62.194	-	1096254209.896379	1096255084.922896	1096255083.849099	1096255083.849269	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
 1096255085.599961	CUM0KZ3MLUfNB0cl11	192.168.50.50	123	209.132.176.4	123	3	2	1	1024.000000	0.000015	0.000000	0.000504	-	CDMA	-	-	1096255068.944018	1096255084.922896	1096255083.827772	1096255083.828313	-	-	0	-	-	-	-	-	-	-	-	-	-	-	-	-	-
-#close	2019-06-06-14-36-29
+#close	2019-06-14-10-32-49
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
index 7fc7a9aede..371eb7dbb4 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/.stdout
@@ -1,9 +1,9 @@
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=42, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[OpCode=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=0, key_id=0, crypto_checksum=], mode7_msg=<uninitialized>]
-ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[ReqCode=1, auth_bit=F, sequence=0, implementation=3, err=0, data=]]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[req_code=1, auth_bit=F, sequence=0, implementation=3, err=0, data=<uninitialized>]]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[req_code=42, auth_bit=F, sequence=0, implementation=3, err=0, data=<uninitialized>]]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=1, resp_bit=F, err_bit=F, more_bit=F, sequence=1, status=0, association_id=0, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=2, resp_bit=F, err_bit=F, more_bit=F, sequence=2, status=0, association_id=19183, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=6, std_msg=<uninitialized>, control_msg=[op_code=2, resp_bit=F, err_bit=F, more_bit=F, sequence=3, status=0, association_id=19184, data=<uninitialized>, key_id=<uninitialized>, crypto_checksum=<uninitialized>], mode7_msg=<uninitialized>]
+ntp_message 127.0.0.1 -> 127.0.0.1:123 [version=2, mode=7, std_msg=<uninitialized>, control_msg=<uninitialized>, mode7_msg=[req_code=1, auth_bit=F, sequence=0, implementation=3, err=0, data=<uninitialized>]]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
index a441d8397b..3234df11d5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ntp.ntpmode67/ntp.log
@@ -3,16 +3,16 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntp
-#open	2019-06-06-14-36-41
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	OpCode	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	ReqCode	auth_bit	sequence	implementation	err
+#open	2019-06-14-10-32-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	mode	stratum	poll	precision	root_delay	root_disp	kiss_code	ref_id	ref_addr	ref_v6_hash_prefix	ref_time	org_time	rec_time	xmt_time	key_id	digest	num_exts	op_code	resp_bit	err_bit	more_bit	sequence	status	association_id	ctrl_key_id	crypto_checksum	req_code	auth_bit	sequence	implementation	err
 #types	time	string	addr	port	addr	port	count	count	count	interval	interval	interval	interval	string	string	addr	string	time	time	time	time	count	string	count	count	bool	bool	bool	count	count	count	count	string	count	bool	count	count	count
-1558603188.282844	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	0	(empty)	-	-	-	-	-
-1558603188.283617	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	0	(empty)	-	-	-	-	-
-1558603188.286063	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	0	(empty)	-	-	-	-	-
+1558603188.282844	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-	-	-
+1558603188.283617	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-	-	-
+1558603188.286063	CHhAvVGS1DHFjwGM9	127.0.0.1	40769	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-	-	-
 1558603201.135003	ClEkJM2Vm5giqnMf4h	127.0.0.1	57531	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	1	F	-	3	0
 1558603206.793297	C4J4Th3PJpwUYZZ6gc	127.0.0.1	46918	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	42	F	-	3	0
-1558603213.886044	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	0	(empty)	-	-	-	-	-
-1558603213.886779	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	0	(empty)	-	-	-	-	-
-1558603213.889030	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	0	(empty)	-	-	-	-	-
+1558603213.886044	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	1	F	F	F	1	0	0	-	-	-	-	-	-	-
+1558603213.886779	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	2	0	19183	-	-	-	-	-	-	-
+1558603213.889030	CtPZjS20MLrsMUOJi2	127.0.0.1	56506	127.0.0.1	123	2	6	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	2	F	F	F	3	0	19184	-	-	-	-	-	-	-
 1558603219.996399	CUM0KZ3MLUfNB0cl11	127.0.0.1	55675	127.0.0.1	123	2	7	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	0	-	-	-	-	0	-	-	-	-	1	F	-	3	0
-#close	2019-06-06-14-36-41
+#close	2019-06-14-10-32-50

From 5f0023b3b0b5aa605dd484207143be6d6e19fb07 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 14 Jun 2019 10:18:37 -0500
Subject: [PATCH 67/91] DNS: Add support for SPF response records

SPF response records are identical to TXT records in structure, and
can be parsed and interpreted the same way. However, they have a
different RR type, so they would generate weird events and not be
parsed by Zeek before this change.

Even though they're the same as TXT records from a protocol stance, I
created a new event type (dns_SPF_reply), and call the records out as
SPF in the logs, instead of as TXT records, since the distinction
could be important for detection purposes.

SPF records have been obsoleted, but continue to be seen in the wild.
---
 scripts/base/protocols/dns/main.zeek          |  15 +++++
 src/analyzer/protocol/dns/DNS.cc              |  34 ++++++++++
 src/analyzer/protocol/dns/DNS.h               |   5 ++
 src/analyzer/protocol/dns/events.bif          |  63 ++++++++++++------
 .../scripts.base.protocols.dns.spf/dns.log    |  10 +++
 testing/btest/Traces/dns-spf.pcap             | Bin 0 -> 285 bytes
 .../btest/scripts/base/protocols/dns/spf.zeek |   4 ++
 7 files changed, 112 insertions(+), 19 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log
 create mode 100644 testing/btest/Traces/dns-spf.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dns/spf.zeek

diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek
index b8cb2b80b5..3906ab5cf0 100644
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@@ -456,6 +456,21 @@ event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_v
 	hook DNS::do_reply(c, msg, ans, txt_strings);
 	}
 
+event dns_SPF_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
+	{
+	local spf_strings: string = "";
+
+	for ( i in strs )
+		{
+		if ( i > 0 )
+			spf_strings += " ";
+
+		spf_strings += fmt("SPF %d %s", |strs[i]|, strs[i]);
+		}
+
+	hook DNS::do_reply(c, msg, ans, spf_strings);
+	}
+
 event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
 	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index c9e2c61cd7..51a8d1cec3 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -281,6 +281,10 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
 			break;
 
+		case TYPE_SPF:
+			status = ParseRR_SPF(msg, data, len, rdlength, msg_start);
+			break;
+
 		case TYPE_CAA:
 			status = ParseRR_CAA(msg, data, len, rdlength, msg_start);
 			break;
@@ -1321,6 +1325,36 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 	return rdlength == 0;
 	}
 
+int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_SPF_reply || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	VectorVal* char_strings = new VectorVal(string_vec);
+	StringVal* char_string;
+
+	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
+		char_strings->Assign(char_strings->Size(), char_string);
+
+	if ( dns_SPF_reply )
+		analyzer->ConnectionEventFast(dns_SPF_reply, {
+			analyzer->BuildConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			char_strings,
+		});
+	else
+		Unref(char_strings);
+
+	return rdlength == 0;
+	}
+
 int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start)
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index a4975cdaa1..8a82768ce0 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -63,6 +63,8 @@ typedef enum {
 	TYPE_DNSKEY = 48,	///< DNS Key record (RFC 4034)
 	TYPE_DS = 43,		///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
+	// Obsoleted
+	TYPE_SPF = 99,          ///< Alternative: storing SPF data in TXT records, using the same format (RFC 4408). Support for it was discontinued in RFC 7208
 	// The following are only valid in queries.
 	TYPE_AXFR = 252,
 	TYPE_ALL = 255,
@@ -282,6 +284,9 @@ protected:
 	int ParseRR_TXT(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
+	int ParseRR_SPF(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
 	int ParseRR_CAA(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index ae57219775..7ddbd0c7b3 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -15,7 +15,7 @@
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
 ##    dns_request non_dns_request  dns_max_queries dns_session_timeout dns_skip_addl
@@ -42,7 +42,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -71,7 +71,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -97,7 +97,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -123,7 +123,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
 ##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -148,7 +148,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -173,7 +173,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -198,7 +198,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -223,7 +223,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -248,7 +248,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -273,7 +273,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -296,7 +296,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply  dns_end dns_full_request
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply  dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -319,7 +319,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -346,7 +346,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -378,6 +378,31 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
 
+## Generated for DNS replies of type *SPF*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## strs: The textual information returned by the reply.
+##
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SPF_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
+
 ## Generated for DNS replies of type *CAA* (Certification Authority Authorization).
 ## For replies with multiple answers, an individual event of the corresponding type
 ## is raised for each.
@@ -425,7 +450,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -444,7 +469,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
 event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
 ## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
@@ -463,7 +488,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -486,7 +511,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply  dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_SRV_reply  dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -575,7 +600,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log
new file mode 100644
index 0000000000..ebec6a3979
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2019-06-14-15-15-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1560524739.386971	CHhAvVGS1DHFjwGM9	10.91.0.62	57806	10.91.1.59	53	udp	64161	-	mail.vladg.net	-	-	-	-	0	NOERROR	F	F	F	T	0	SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all	300.000000,300.000000	F
+#close	2019-06-14-15-15-00
diff --git a/testing/btest/Traces/dns-spf.pcap b/testing/btest/Traces/dns-spf.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4781bcd416eaa2a358718f00466fbae2ec0c9b0d
GIT binary patch
literal 285
zcmca|c+)~A1{MYcU}0bcat?22j^#Vb$`A@<gYc8y9;;VE7aFT>*6-tBaAja{Upk9{
z!9kFLfh(H9jw_nc`r$bSQwC$P;$I6H6~IO?Ffg*@CT8ZamgOX-q%-HGmM}0RgJd)X
zfChp9$dcL5Ss5k(*&qxt9%2>PlBQ{y4h;5!eV0KNfGlD#1zM9gf&bUS#s;8KOh8Ro
wEjhpgv5HZLK}5LBwzwe8P$9QMK{qicN1-IOxCBX_pAS_Y=swmpKy!fr0O%$~h5!Hn

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/spf.zeek b/testing/btest/scripts/base/protocols/dns/spf.zeek
new file mode 100644
index 0000000000..14d743cb1d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/spf.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -b -r $TRACES/dns-spf.pcap %INPUT
+# @TEST-EXEC: btest-diff dns.log
+
+@load base/protocols/dns
\ No newline at end of file

From 853a796b9e9d9341c2015c839f72a78def3bd798 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 14 Jun 2019 19:51:28 -0700
Subject: [PATCH 68/91] GH-406: rename bro.bif to zeek.bif

Fixes GH-406
---
 CHANGES                                       |    4 +
 VERSION                                       |    2 +-
 doc                                           |    2 +-
 scripts/base/init-bare.zeek                   |    2 +-
 src/BroString.cc                              |    2 +-
 src/CMakeLists.txt                            |    2 +-
 src/Func.cc                                   |    6 +-
 src/{bro.bif => zeek.bif}                     |    0
 .../btest/Baseline/core.plugins.hooks/output  | 2289 -----------------
 .../canonified_loaded_scripts.log             |    2 +-
 .../canonified_loaded_scripts.log             |    2 +-
 testing/btest/Baseline/plugins.hooks/output   |   26 +-
 12 files changed, 27 insertions(+), 2312 deletions(-)
 rename src/{bro.bif => zeek.bif} (100%)
 delete mode 100644 testing/btest/Baseline/core.plugins.hooks/output

diff --git a/CHANGES b/CHANGES
index 24f1a203bb..a21f6841fd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-413 | 2019-06-14 19:51:28 -0700
+
+  * GH-406: rename bro.bif to zeek.bif (Jon Siwek, Corelight)
+
 2.6-412 | 2019-06-14 19:26:21 -0700
 
   * GH-387: update Broker topic names to use "zeek/" prefix (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 926bb300ec..a902ec762e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-412
+2.6-413
diff --git a/doc b/doc
index abca6eabff..f77e0400ff 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit abca6eabff514dfdd02c4312fa8f8c1e3d658bfe
+Subproject commit f77e0400ff0057c8461a1dd0658b83de186e6a6b
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 72c58105ae..fde5e48ce3 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -1789,7 +1789,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 };
 
 # Prototypes of Zeek built-in functions.
-@load base/bif/bro.bif
+@load base/bif/zeek.bif
 @load base/bif/stats.bif
 @load base/bif/reporter.bif
 @load base/bif/strings.bif
diff --git a/src/BroString.cc b/src/BroString.cc
index b7e93bdde9..bb741724a5 100644
--- a/src/BroString.cc
+++ b/src/BroString.cc
@@ -288,7 +288,7 @@ void BroString::ToUpper()
 
 BroString* BroString::GetSubstring(int start, int len) const
 	{
-	// This code used to live in bro.bif's sub_bytes() routine.
+	// This code used to live in zeek.bif's sub_bytes() routine.
 	if ( start < 0 || start > n )
 		return 0;
 
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 4176bc3c8f..ab94f512f5 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -103,7 +103,7 @@ set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-comp
 include(BifCl)
 
 set(BIF_SRCS
-    bro.bif
+    zeek.bif
     stats.bif
     event.bif
     const.bif
diff --git a/src/Func.cc b/src/Func.cc
index 90515a0f8f..dc96070980 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -761,13 +761,13 @@ void builtin_error(const char* msg, BroObj* arg)
 		emit(last_call.call);
 	}
 
-#include "bro.bif.func_h"
+#include "zeek.bif.func_h"
 #include "stats.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
 #include "option.bif.func_h"
 
-#include "bro.bif.func_def"
+#include "zeek.bif.func_def"
 #include "stats.bif.func_def"
 #include "reporter.bif.func_def"
 #include "strings.bif.func_def"
@@ -794,7 +794,7 @@ void init_builtin_funcs()
 
 	var_sizes = internal_type("var_sizes")->AsTableType();
 
-#include "bro.bif.func_init"
+#include "zeek.bif.func_init"
 #include "stats.bif.func_init"
 #include "reporter.bif.func_init"
 #include "strings.bif.func_init"
diff --git a/src/bro.bif b/src/zeek.bif
similarity index 100%
rename from src/bro.bif
rename to src/zeek.bif
diff --git a/testing/btest/Baseline/core.plugins.hooks/output b/testing/btest/Baseline/core.plugins.hooks/output
deleted file mode 100644
index 138d019b34..0000000000
--- a/testing/btest/Baseline/core.plugins.hooks/output
+++ /dev/null
@@ -1,2289 +0,0 @@
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67/udp,68/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355/udp,53/tcp,5353/udp,137/udp,53/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811/tcp,21/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152/udp,2123/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631/tcp,8888/tcp,3128/tcp,80/tcp,1080/tcp,8000/tcp,81/tcp,8080/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669/tcp,6666/tcp,6668/tcp,6667/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25/tcp,587/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162/udp,161/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223/tcp,585/tcp,614/tcp,993/tcp,636/tcp,989/tcp,995/tcp,443/tcp,563/tcp,990/tcp,992/tcp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DHCP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNP3::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DNS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (DPD::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (FTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Files::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (HTTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (IRC::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Intel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Modbus::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::ALARM_LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Notice::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (PacketFilter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (RADIUS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Reporter::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SMTP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SNMP::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SOCKS::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSH::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (SSL::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Signatures::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Software::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Syslog::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Tunnel::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Unified2::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Weird::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (X509::LOG)) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
-0.000000   MetaHookPost  CallFunction(PacketFilter::install, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE)) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <null>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(zeek_init, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-0.000000   MetaHookPost  CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$)) -> <null>
-0.000000   MetaHookPost  DrainEvents() -> <void>
-0.000000   MetaHookPost  DrainEvents() -> <void>
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DHCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_File.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_MIME.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Modbus.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetFlow.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Syslog.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Teredo.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_UDP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./actions/add-geodata) -> -1
-0.000000   MetaHookPost  LoadFile(./actions/drop) -> -1
-0.000000   MetaHookPost  LoadFile(./actions/email_admin) -> -1
-0.000000   MetaHookPost  LoadFile(./actions/page) -> -1
-0.000000   MetaHookPost  LoadFile(./actions/pp-alarms) -> -1
-0.000000   MetaHookPost  LoadFile(./addrs) -> -1
-0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./average) -> -1
-0.000000   MetaHookPost  LoadFile(./average) -> -1
-0.000000   MetaHookPost  LoadFile(./bloom-filter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./zeekygen.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./contents) -> -1
-0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
-0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./exec) -> -1
-0.000000   MetaHookPost  LoadFile(./extend-email/hostnames) -> -1
-0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
-0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
-0.000000   MetaHookPost  LoadFile(./inactivity) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./input) -> -1
-0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./last) -> -1
-0.000000   MetaHookPost  LoadFile(./logging.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./magic) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./max) -> -1
-0.000000   MetaHookPost  LoadFile(./min) -> -1
-0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
-0.000000   MetaHookPost  LoadFile(./netstats) -> -1
-0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
-0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
-0.000000   MetaHookPost  LoadFile(./patterns) -> -1
-0.000000   MetaHookPost  LoadFile(./plugins) -> -1
-0.000000   MetaHookPost  LoadFile(./polling) -> -1
-0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
-0.000000   MetaHookPost  LoadFile(./readers/ascii) -> -1
-0.000000   MetaHookPost  LoadFile(./readers/benchmark) -> -1
-0.000000   MetaHookPost  LoadFile(./readers/binary) -> -1
-0.000000   MetaHookPost  LoadFile(./readers/raw) -> -1
-0.000000   MetaHookPost  LoadFile(./readers/sqlite) -> -1
-0.000000   MetaHookPost  LoadFile(./reporter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./sample) -> -1
-0.000000   MetaHookPost  LoadFile(./scp) -> -1
-0.000000   MetaHookPost  LoadFile(./sftp) -> -1
-0.000000   MetaHookPost  LoadFile(./site) -> -1
-0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
-0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./sum) -> -1
-0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./topk) -> -1
-0.000000   MetaHookPost  LoadFile(./types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./unique) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
-0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
-0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
-0.000000   MetaHookPost  LoadFile(./utils.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./variance) -> -1
-0.000000   MetaHookPost  LoadFile(./variance) -> -1
-0.000000   MetaHookPost  LoadFile(./weird) -> -1
-0.000000   MetaHookPost  LoadFile(./writers/ascii) -> -1
-0.000000   MetaHookPost  LoadFile(./writers/dataseries) -> -1
-0.000000   MetaHookPost  LoadFile(./writers/elasticsearch) -> -1
-0.000000   MetaHookPost  LoadFile(./writers/none) -> -1
-0.000000   MetaHookPost  LoadFile(./writers/sqlite) -> -1
-0.000000   MetaHookPost  LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/hooks.bro) -> -1
-0.000000   MetaHookPost  LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/lib/bif/__load__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/scripts/__load__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/analyzer.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/bro.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/event.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/file_analysis.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/input.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/logging.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/plugins) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/plugins/Bro_SNMP.types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/reporter.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/strings.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif/types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/extract) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/hash) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/hash) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/unified2) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/x509) -> -1
-0.000000   MetaHookPost  LoadFile(base/files/x509) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/communication) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/control) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/control) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/dpd) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/input) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/input) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/intel) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/logging) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/logging) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/packet-filter) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/packet-filter) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/packet-filter/utils) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/reporter) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/reporter) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/signatures) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/software) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/sumstats/main) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base/frameworks/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base/init-default.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base/misc/find-checksum-offloading) -> -1
-0.000000   MetaHookPost  LoadFile(base/misc/find-filtered-trace) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/conn) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/conn) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/conn) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/dhcp) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/dnp3) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/dns) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/ftp) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/http) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/irc) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/modbus) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/pop3) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/radius) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/smtp) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/snmp) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/socks) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/ssh) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/syslog) -> -1
-0.000000   MetaHookPost  LoadFile(base/protocols/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/active-http) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/dir) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/dir) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/exec) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/exec) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/files) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/patterns) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/queue) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/queue) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/queue) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/site) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/strings) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/strings) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/strings) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/time) -> -1
-0.000000   MetaHookPost  LoadFile(base/utils/urls) -> -1
-0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
-0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_INTERCONN))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_STEPPINGSTONE))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67/udp,68/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355/udp,53/tcp,5353/udp,137/udp,53/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811/tcp,21/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152/udp,2123/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_HTTP, {631/tcp,8888/tcp,3128/tcp,80/tcp,1080/tcp,8000/tcp,81/tcp,8080/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_IRC, {6669/tcp,6666/tcp,6668/tcp,6667/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_MODBUS, {502/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SMTP, {25/tcp,587/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SNMP, {162/udp,161/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSH, {22/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SSL, {5223/tcp,585/tcp,614/tcp,993/tcp,636/tcp,989/tcp,995/tcp,443/tcp,563/tcp,990/tcp,992/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DHCP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNP3::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DNS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (DPD::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (FTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Files::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (HTTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (IRC::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Intel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Modbus::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::ALARM_LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Notice::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (RADIUS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Reporter::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SMTP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SNMP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SOCKS::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSH::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (SSL::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Signatures::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Software::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Syslog::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Tunnel::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Unified2::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Weird::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (X509::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DNS::LOG, [columns=<no value description>, ev=DNS::log_dns]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (DPD::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Files::LOG, [columns=<no value description>, ev=Files::log_files]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (IRC::LOG, [columns=<no value description>, ev=IRC::irc_log]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Intel::LOG, [columns=<no value description>, ev=Intel::log_intel]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Notice::LOG, [columns=<no value description>, ev=Notice::log_notice]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Software::LOG, [columns=<no value description>, ev=Software::log_software]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Syslog::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
-0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
-0.000000   MetaHookPre   CallFunction(PacketFilter::install, ())
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::STD_DEV, SumStats::VARIANCE))
-0.000000   MetaHookPre   CallFunction(SumStats::add_observe_plugin_dependency, (SumStats::VARIANCE, SumStats::AVERAGE))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, (SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, ())
-0.000000   MetaHookPre   CallFunction(zeek_init, ())
-0.000000   MetaHookPre   CallFunction(filter_change_tracking, ())
-0.000000   MetaHookPre   CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(set_to_regex, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   DrainEvents()
-0.000000   MetaHookPre   DrainEvents()
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DHCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_File.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_MIME.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Modbus.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetFlow.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SOCKS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Syslog.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Teredo.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_UDP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./actions/add-geodata)
-0.000000   MetaHookPre   LoadFile(./actions/drop)
-0.000000   MetaHookPre   LoadFile(./actions/email_admin)
-0.000000   MetaHookPre   LoadFile(./actions/page)
-0.000000   MetaHookPre   LoadFile(./actions/pp-alarms)
-0.000000   MetaHookPre   LoadFile(./addrs)
-0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
-0.000000   MetaHookPre   LoadFile(./average)
-0.000000   MetaHookPre   LoadFile(./average)
-0.000000   MetaHookPre   LoadFile(./bloom-filter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
-0.000000   MetaHookPre   LoadFile(./zeekygen.bif.bro)
-0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./const.bif.bro)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts.bif.bro)
-0.000000   MetaHookPre   LoadFile(./consts.bro)
-0.000000   MetaHookPre   LoadFile(./contents)
-0.000000   MetaHookPre   LoadFile(./dcc-send)
-0.000000   MetaHookPre   LoadFile(./dcc-send)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./event.bif.bro)
-0.000000   MetaHookPre   LoadFile(./events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./exec)
-0.000000   MetaHookPre   LoadFile(./extend-email/hostnames)
-0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./gridftp)
-0.000000   MetaHookPre   LoadFile(./hll_unique)
-0.000000   MetaHookPre   LoadFile(./inactivity)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./input)
-0.000000   MetaHookPre   LoadFile(./input.bif.bro)
-0.000000   MetaHookPre   LoadFile(./last)
-0.000000   MetaHookPre   LoadFile(./logging.bif.bro)
-0.000000   MetaHookPre   LoadFile(./magic)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main.bro)
-0.000000   MetaHookPre   LoadFile(./max)
-0.000000   MetaHookPre   LoadFile(./min)
-0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
-0.000000   MetaHookPre   LoadFile(./netstats)
-0.000000   MetaHookPre   LoadFile(./non-cluster)
-0.000000   MetaHookPre   LoadFile(./non-cluster)
-0.000000   MetaHookPre   LoadFile(./patterns)
-0.000000   MetaHookPre   LoadFile(./plugins)
-0.000000   MetaHookPre   LoadFile(./polling)
-0.000000   MetaHookPre   LoadFile(./postprocessors)
-0.000000   MetaHookPre   LoadFile(./readers/ascii)
-0.000000   MetaHookPre   LoadFile(./readers/benchmark)
-0.000000   MetaHookPre   LoadFile(./readers/binary)
-0.000000   MetaHookPre   LoadFile(./readers/raw)
-0.000000   MetaHookPre   LoadFile(./readers/sqlite)
-0.000000   MetaHookPre   LoadFile(./reporter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./sample)
-0.000000   MetaHookPre   LoadFile(./scp)
-0.000000   MetaHookPre   LoadFile(./sftp)
-0.000000   MetaHookPre   LoadFile(./site)
-0.000000   MetaHookPre   LoadFile(./std-dev)
-0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
-0.000000   MetaHookPre   LoadFile(./sum)
-0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
-0.000000   MetaHookPre   LoadFile(./topk)
-0.000000   MetaHookPre   LoadFile(./types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./unique)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils-commands)
-0.000000   MetaHookPre   LoadFile(./utils-commands)
-0.000000   MetaHookPre   LoadFile(./utils-commands)
-0.000000   MetaHookPre   LoadFile(./utils.bro)
-0.000000   MetaHookPre   LoadFile(./variance)
-0.000000   MetaHookPre   LoadFile(./variance)
-0.000000   MetaHookPre   LoadFile(./weird)
-0.000000   MetaHookPre   LoadFile(./writers/ascii)
-0.000000   MetaHookPre   LoadFile(./writers/dataseries)
-0.000000   MetaHookPre   LoadFile(./writers/elasticsearch)
-0.000000   MetaHookPre   LoadFile(./writers/none)
-0.000000   MetaHookPre   LoadFile(./writers/sqlite)
-0.000000   MetaHookPre   LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/hooks.bro)
-0.000000   MetaHookPre   LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/lib/bif/__load__.bro)
-0.000000   MetaHookPre   LoadFile(/Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/scripts/__load__.bro)
-0.000000   MetaHookPre   LoadFile(base/bif)
-0.000000   MetaHookPre   LoadFile(base/bif/analyzer.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/bro.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/const.bif.bro)
-0.000000   MetaHookPre   LoadFile(base/bif/event.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/file_analysis.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/input.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/logging.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/plugins)
-0.000000   MetaHookPre   LoadFile(base/bif/plugins/Bro_SNMP.types.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/reporter.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/strings.bif)
-0.000000   MetaHookPre   LoadFile(base/bif/types.bif)
-0.000000   MetaHookPre   LoadFile(base/files/extract)
-0.000000   MetaHookPre   LoadFile(base/files/hash)
-0.000000   MetaHookPre   LoadFile(base/files/hash)
-0.000000   MetaHookPre   LoadFile(base/files/unified2)
-0.000000   MetaHookPre   LoadFile(base/files/x509)
-0.000000   MetaHookPre   LoadFile(base/files/x509)
-0.000000   MetaHookPre   LoadFile(base/frameworks/analyzer)
-0.000000   MetaHookPre   LoadFile(base/frameworks/analyzer)
-0.000000   MetaHookPre   LoadFile(base/frameworks/analyzer)
-0.000000   MetaHookPre   LoadFile(base/frameworks/analyzer)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/cluster)
-0.000000   MetaHookPre   LoadFile(base/frameworks/communication)
-0.000000   MetaHookPre   LoadFile(base/frameworks/control)
-0.000000   MetaHookPre   LoadFile(base/frameworks/control)
-0.000000   MetaHookPre   LoadFile(base/frameworks/dpd)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/files)
-0.000000   MetaHookPre   LoadFile(base/frameworks/input)
-0.000000   MetaHookPre   LoadFile(base/frameworks/input)
-0.000000   MetaHookPre   LoadFile(base/frameworks/intel)
-0.000000   MetaHookPre   LoadFile(base/frameworks/logging)
-0.000000   MetaHookPre   LoadFile(base/frameworks/logging)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/notice)
-0.000000   MetaHookPre   LoadFile(base/frameworks/packet-filter)
-0.000000   MetaHookPre   LoadFile(base/frameworks/packet-filter)
-0.000000   MetaHookPre   LoadFile(base/frameworks/packet-filter/utils)
-0.000000   MetaHookPre   LoadFile(base/frameworks/reporter)
-0.000000   MetaHookPre   LoadFile(base/frameworks/reporter)
-0.000000   MetaHookPre   LoadFile(base/frameworks/signatures)
-0.000000   MetaHookPre   LoadFile(base/frameworks/software)
-0.000000   MetaHookPre   LoadFile(base/frameworks/sumstats)
-0.000000   MetaHookPre   LoadFile(base/frameworks/sumstats)
-0.000000   MetaHookPre   LoadFile(base/frameworks/sumstats)
-0.000000   MetaHookPre   LoadFile(base/frameworks/sumstats)
-0.000000   MetaHookPre   LoadFile(base/frameworks/sumstats/main)
-0.000000   MetaHookPre   LoadFile(base/frameworks/tunnels)
-0.000000   MetaHookPre   LoadFile(base/frameworks/tunnels)
-0.000000   MetaHookPre   LoadFile(base/frameworks/tunnels)
-0.000000   MetaHookPre   LoadFile(base/init-default.bro)
-0.000000   MetaHookPre   LoadFile(base/misc/find-checksum-offloading)
-0.000000   MetaHookPre   LoadFile(base/misc/find-filtered-trace)
-0.000000   MetaHookPre   LoadFile(base/protocols/conn)
-0.000000   MetaHookPre   LoadFile(base/protocols/conn)
-0.000000   MetaHookPre   LoadFile(base/protocols/conn)
-0.000000   MetaHookPre   LoadFile(base/protocols/dhcp)
-0.000000   MetaHookPre   LoadFile(base/protocols/dnp3)
-0.000000   MetaHookPre   LoadFile(base/protocols/dns)
-0.000000   MetaHookPre   LoadFile(base/protocols/ftp)
-0.000000   MetaHookPre   LoadFile(base/protocols/http)
-0.000000   MetaHookPre   LoadFile(base/protocols/irc)
-0.000000   MetaHookPre   LoadFile(base/protocols/modbus)
-0.000000   MetaHookPre   LoadFile(base/protocols/pop3)
-0.000000   MetaHookPre   LoadFile(base/protocols/radius)
-0.000000   MetaHookPre   LoadFile(base/protocols/smtp)
-0.000000   MetaHookPre   LoadFile(base/protocols/snmp)
-0.000000   MetaHookPre   LoadFile(base/protocols/socks)
-0.000000   MetaHookPre   LoadFile(base/protocols/ssh)
-0.000000   MetaHookPre   LoadFile(base/protocols/ssl)
-0.000000   MetaHookPre   LoadFile(base/protocols/ssl)
-0.000000   MetaHookPre   LoadFile(base/protocols/ssl)
-0.000000   MetaHookPre   LoadFile(base/protocols/syslog)
-0.000000   MetaHookPre   LoadFile(base/protocols/tunnels)
-0.000000   MetaHookPre   LoadFile(base/utils/active-http)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/addrs)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/conn-ids)
-0.000000   MetaHookPre   LoadFile(base/utils/dir)
-0.000000   MetaHookPre   LoadFile(base/utils/dir)
-0.000000   MetaHookPre   LoadFile(base/utils/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base/utils/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base/utils/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base/utils/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base/utils/exec)
-0.000000   MetaHookPre   LoadFile(base/utils/exec)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/files)
-0.000000   MetaHookPre   LoadFile(base/utils/numbers)
-0.000000   MetaHookPre   LoadFile(base/utils/numbers)
-0.000000   MetaHookPre   LoadFile(base/utils/numbers)
-0.000000   MetaHookPre   LoadFile(base/utils/numbers)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/paths)
-0.000000   MetaHookPre   LoadFile(base/utils/patterns)
-0.000000   MetaHookPre   LoadFile(base/utils/queue)
-0.000000   MetaHookPre   LoadFile(base/utils/queue)
-0.000000   MetaHookPre   LoadFile(base/utils/queue)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/site)
-0.000000   MetaHookPre   LoadFile(base/utils/strings)
-0.000000   MetaHookPre   LoadFile(base/utils/strings)
-0.000000   MetaHookPre   LoadFile(base/utils/strings)
-0.000000   MetaHookPre   LoadFile(base/utils/thresholds)
-0.000000   MetaHookPre   LoadFile(base/utils/thresholds)
-0.000000   MetaHookPre   LoadFile(base/utils/time)
-0.000000   MetaHookPre   LoadFile(base/utils/urls)
-0.000000   MetaHookPre   QueueEvent(zeek_init())
-0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 80/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8000/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6669/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 162/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SOCKS, 1080/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 22/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 443/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 5223/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 563/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 585/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 614/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 636/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 989/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 990/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 992/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67/udp,68/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, {20000/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5355/udp,53/tcp,5353/udp,137/udp,53/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811/tcp,21/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152/udp,2123/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {631/tcp,8888/tcp,3128/tcp,80/tcp,1080/tcp,8000/tcp,81/tcp,8080/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6669/tcp,6666/tcp,6668/tcp,6667/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, {502/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, {1812/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, {25/tcp,587/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, {162/udp,161/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, {1080/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223/tcp,585/tcp,614/tcp,993/tcp,636/tcp,989/tcp,995/tcp,443/tcp,563/tcp,990/tcp,992/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
-0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(DHCP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(DNP3::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(DNS::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(DPD::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(FTP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Files::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(HTTP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(IRC::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Intel::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Modbus::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(RADIUS::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SNMP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SOCKS::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SSH::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SSL::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Signatures::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Software::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Syslog::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Tunnel::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Unified2::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(X509::LOG)
-0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Unified2::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn])
-0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp])
-0.000000 | HookCallFunction Log::create_stream(DNP3::LOG, [columns=<no value description>, ev=DNP3::log_dnp3])
-0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=<no value description>, ev=DNS::log_dns])
-0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=<no value description>, ev=FTP::log_ftp])
-0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=<no value description>, ev=Files::log_files])
-0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=<no value description>, ev=HTTP::log_http])
-0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=<no value description>, ev=IRC::irc_log])
-0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=<no value description>, ev=Intel::log_intel])
-0.000000 | HookCallFunction Log::create_stream(Modbus::LOG, [columns=<no value description>, ev=Modbus::log_modbus])
-0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=<no value description>, ev=Notice::log_notice])
-0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(RADIUS::LOG, [columns=<no value description>, ev=RADIUS::log_radius])
-0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp])
-0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp])
-0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks])
-0.000000 | HookCallFunction Log::create_stream(SSH::LOG, [columns=<no value description>, ev=SSH::log_ssh])
-0.000000 | HookCallFunction Log::create_stream(SSL::LOG, [columns=<no value description>, ev=SSL::log_ssl])
-0.000000 | HookCallFunction Log::create_stream(Signatures::LOG, [columns=<no value description>, ev=Signatures::log_signature])
-0.000000 | HookCallFunction Log::create_stream(Software::LOG, [columns=<no value description>, ev=Software::log_software])
-0.000000 | HookCallFunction Log::create_stream(Syslog::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(Tunnel::LOG, [columns=<no value description>, ev=<uninitialized>])
-0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
-0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
-0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1402676765.077455, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Notice::want_pp()
-0.000000 | HookCallFunction PacketFilter::build()
-0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
-0.000000 | HookCallFunction PacketFilter::install()
-0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::STD_DEV, SumStats::VARIANCE)
-0.000000 | HookCallFunction SumStats::add_observe_plugin_dependency(SumStats::VARIANCE, SumStats::AVERAGE)
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::AVERAGE, anonymous-function{ if (!SumStats::rv?$average) SumStats::rv$average = SumStats::valelseSumStats::rv$average += (SumStats::val - SumStats::rv$average) / (coerce SumStats::rv$num to double)})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::HLL_UNIQUE, anonymous-function{ if (!SumStats::rv?$card) { SumStats::rv$card = hll_cardinality_init(SumStats::r$hll_error_margin, SumStats::r$hll_confidence)SumStats::rv$hll_error_margin = SumStats::r$hll_error_marginSumStats::rv$hll_confidence = SumStats::r$hll_confidence}hll_cardinality_add(SumStats::rv$card, SumStats::obs)SumStats::rv$hll_unique = double_to_count(hll_cardinality_estimate(SumStats::rv$card))})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::LAST, anonymous-function{ if (0 < SumStats::r$num_last_elements) { if (!SumStats::rv?$last_elements) SumStats::rv$last_elements = Queue::init((coerce [$max_len=SumStats::r$num_last_elements] to Queue::Settings))Queue::put(SumStats::rv$last_elements, SumStats::obs)}})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::MAX, anonymous-function{ if (!SumStats::rv?$max) SumStats::rv$max = SumStats::valelseif (SumStats::rv$max < SumStats::val) SumStats::rv$max = SumStats::val})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::MIN, anonymous-function{ if (!SumStats::rv?$min) SumStats::rv$min = SumStats::valelseif (SumStats::val < SumStats::rv$min) SumStats::rv$min = SumStats::val})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::SAMPLE, anonymous-function{ SumStats::sample_add_sample(SumStats::obs, SumStats::rv)})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::STD_DEV, anonymous-function{ SumStats::calc_std_dev(SumStats::rv)})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::SUM, anonymous-function{ SumStats::rv$sum += SumStats::val})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::TOPK, anonymous-function{ topk_add(SumStats::rv$topk, SumStats::obs)})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, anonymous-function{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || flattenSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = flattenSumStats::rv$unique_vals})
-0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, anonymous-function{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})
-0.000000 | HookCallFunction SumStats::register_observe_plugins()
-0.000000 | HookCallFunction zeek_init()
-0.000000 | HookCallFunction filter_change_tracking()
-0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
-0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
-0.000000 | HookDrainEvents
-0.000000 | HookDrainEvents
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ../main.bro/bro
-0.000000 | HookLoadFile  ./Bro_ARP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_AYIYA.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_BackDoor.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_BitTorrent.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_ConnSize.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_DCE_RPC.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_DHCP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_DNP3.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_DNS.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_FTP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_FTP.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_File.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_FileExtract.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_FileExtract.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_FileHash.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Finger.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_GTPv1.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Gnutella.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_HTTP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_HTTP.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_ICMP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_IRC.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Ident.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_InterConn.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Login.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Login.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_MIME.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Modbus.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_NCP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_NTP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_NetBIOS.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_NetBIOS.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_NetFlow.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_PIA.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_POP3.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_RADIUS.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_RPC.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SMB.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SMTP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SMTP.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SNMP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SNMP.types.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SOCKS.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SSH.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SSL.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_SteppingStone.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Syslog.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_TCP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_TCP.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Teredo.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_UDP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Unified2.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_Unified2.types.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_X509.events.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_X509.functions.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_X509.types.bif.bro/bro
-0.000000 | HookLoadFile  ./Bro_ZIP.events.bif.bro/bro
-0.000000 | HookLoadFile  ./actions/add-geodata.bro/bro
-0.000000 | HookLoadFile  ./actions/drop.bro/bro
-0.000000 | HookLoadFile  ./actions/email_admin.bro/bro
-0.000000 | HookLoadFile  ./actions/page.bro/bro
-0.000000 | HookLoadFile  ./actions/pp-alarms.bro/bro
-0.000000 | HookLoadFile  ./addrs.bro/bro
-0.000000 | HookLoadFile  ./analyzer.bif.bro/bro
-0.000000 | HookLoadFile  ./average.bro/bro
-0.000000 | HookLoadFile  ./average.bro/bro
-0.000000 | HookLoadFile  ./bloom-filter.bif.bro/bro
-0.000000 | HookLoadFile  ./bro.bif.bro/bro
-0.000000 | HookLoadFile  ./zeekygen.bif.bro/bro
-0.000000 | HookLoadFile  ./cardinality-counter.bif.bro/bro
-0.000000 | HookLoadFile  ./const.bif.bro/bro
-0.000000 | HookLoadFile  ./consts.bif.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./consts.bro/bro
-0.000000 | HookLoadFile  ./contents.bro/bro
-0.000000 | HookLoadFile  ./dcc-send.bro/bro
-0.000000 | HookLoadFile  ./dcc-send.bro/bro
-0.000000 | HookLoadFile  ./entities.bro/bro
-0.000000 | HookLoadFile  ./entities.bro/bro
-0.000000 | HookLoadFile  ./entities.bro/bro
-0.000000 | HookLoadFile  ./entities.bro/bro
-0.000000 | HookLoadFile  ./event.bif.bro/bro
-0.000000 | HookLoadFile  ./events.bif.bro/bro
-0.000000 | HookLoadFile  ./exec.bro/bro
-0.000000 | HookLoadFile  ./extend-email/hostnames.bro/bro
-0.000000 | HookLoadFile  ./file_analysis.bif.bro/bro
-0.000000 | HookLoadFile  ./files.bro/bro
-0.000000 | HookLoadFile  ./files.bro/bro
-0.000000 | HookLoadFile  ./files.bro/bro
-0.000000 | HookLoadFile  ./files.bro/bro
-0.000000 | HookLoadFile  ./files.bro/bro
-0.000000 | HookLoadFile  ./functions.bif.bro/bro
-0.000000 | HookLoadFile  ./gridftp.bro/bro
-0.000000 | HookLoadFile  ./hll_unique.bro/bro
-0.000000 | HookLoadFile  ./inactivity.bro/bro
-0.000000 | HookLoadFile  ./info.bro/bro
-0.000000 | HookLoadFile  ./info.bro/bro
-0.000000 | HookLoadFile  ./info.bro/bro
-0.000000 | HookLoadFile  ./info.bro/bro
-0.000000 | HookLoadFile  ./info.bro/bro
-0.000000 | HookLoadFile  ./input.bif.bro/bro
-0.000000 | HookLoadFile  ./input.bro/bro
-0.000000 | HookLoadFile  ./last.bro/bro
-0.000000 | HookLoadFile  ./logging.bif.bro/bro
-0.000000 | HookLoadFile  ./magic.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./main.bro/bro
-0.000000 | HookLoadFile  ./max.bro/bro
-0.000000 | HookLoadFile  ./min.bro/bro
-0.000000 | HookLoadFile  ./mozilla-ca-list.bro/bro
-0.000000 | HookLoadFile  ./netstats.bro/bro
-0.000000 | HookLoadFile  ./non-cluster.bro/bro
-0.000000 | HookLoadFile  ./non-cluster.bro/bro
-0.000000 | HookLoadFile  ./patterns.bro/bro
-0.000000 | HookLoadFile  ./plugins.bro/bro
-0.000000 | HookLoadFile  ./polling.bro/bro
-0.000000 | HookLoadFile  ./postprocessors.bro/bro
-0.000000 | HookLoadFile  ./readers/ascii.bro/bro
-0.000000 | HookLoadFile  ./readers/benchmark.bro/bro
-0.000000 | HookLoadFile  ./readers/binary.bro/bro
-0.000000 | HookLoadFile  ./readers/raw.bro/bro
-0.000000 | HookLoadFile  ./readers/sqlite.bro/bro
-0.000000 | HookLoadFile  ./reporter.bif.bro/bro
-0.000000 | HookLoadFile  ./sample.bro/bro
-0.000000 | HookLoadFile  ./scp.bro/bro
-0.000000 | HookLoadFile  ./sftp.bro/bro
-0.000000 | HookLoadFile  ./site.bro/bro
-0.000000 | HookLoadFile  ./std-dev.bro/bro
-0.000000 | HookLoadFile  ./strings.bif.bro/bro
-0.000000 | HookLoadFile  ./sum.bro/bro
-0.000000 | HookLoadFile  ./top-k.bif.bro/bro
-0.000000 | HookLoadFile  ./topk.bro/bro
-0.000000 | HookLoadFile  ./types.bif.bro/bro
-0.000000 | HookLoadFile  ./unique.bro/bro
-0.000000 | HookLoadFile  ./utils-commands.bro/bro
-0.000000 | HookLoadFile  ./utils-commands.bro/bro
-0.000000 | HookLoadFile  ./utils-commands.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./utils.bro/bro
-0.000000 | HookLoadFile  ./variance.bro/bro
-0.000000 | HookLoadFile  ./variance.bro/bro
-0.000000 | HookLoadFile  ./weird.bro/bro
-0.000000 | HookLoadFile  ./writers/ascii.bro/bro
-0.000000 | HookLoadFile  ./writers/dataseries.bro/bro
-0.000000 | HookLoadFile  ./writers/elasticsearch.bro/bro
-0.000000 | HookLoadFile  ./writers/none.bro/bro
-0.000000 | HookLoadFile  ./writers/sqlite.bro/bro
-0.000000 | HookLoadFile  /Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/hooks.bro/bro
-0.000000 | HookLoadFile  /Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/lib/bif/__load__.bro/bro
-0.000000 | HookLoadFile  /Users/robin/bro/dynamic-plugins-2.3/testing/btest/.tmp/core.plugins.hooks/scripts/__load__.bro/bro
-0.000000 | HookLoadFile  base/bif.bro/bro
-0.000000 | HookLoadFile  base/bif/analyzer.bif/bif
-0.000000 | HookLoadFile  base/bif/bro.bif/bif
-0.000000 | HookLoadFile  base/bif/const.bif.bro/bro
-0.000000 | HookLoadFile  base/bif/event.bif/bif
-0.000000 | HookLoadFile  base/bif/file_analysis.bif/bif
-0.000000 | HookLoadFile  base/bif/input.bif/bif
-0.000000 | HookLoadFile  base/bif/logging.bif/bif
-0.000000 | HookLoadFile  base/bif/plugins.bro/bro
-0.000000 | HookLoadFile  base/bif/plugins/Bro_SNMP.types.bif/bif
-0.000000 | HookLoadFile  base/bif/reporter.bif/bif
-0.000000 | HookLoadFile  base/bif/strings.bif/bif
-0.000000 | HookLoadFile  base/bif/types.bif/bif
-0.000000 | HookLoadFile  base/files/extract.bro/bro
-0.000000 | HookLoadFile  base/files/hash.bro/bro
-0.000000 | HookLoadFile  base/files/hash.bro/bro
-0.000000 | HookLoadFile  base/files/unified2.bro/bro
-0.000000 | HookLoadFile  base/files/x509.bro/bro
-0.000000 | HookLoadFile  base/files/x509.bro/bro
-0.000000 | HookLoadFile  base/frameworks/analyzer.bro/bro
-0.000000 | HookLoadFile  base/frameworks/analyzer.bro/bro
-0.000000 | HookLoadFile  base/frameworks/analyzer.bro/bro
-0.000000 | HookLoadFile  base/frameworks/analyzer.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/cluster.bro/bro
-0.000000 | HookLoadFile  base/frameworks/communication.bro/bro
-0.000000 | HookLoadFile  base/frameworks/control.bro/bro
-0.000000 | HookLoadFile  base/frameworks/control.bro/bro
-0.000000 | HookLoadFile  base/frameworks/dpd.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/files.bro/bro
-0.000000 | HookLoadFile  base/frameworks/input.bro/bro
-0.000000 | HookLoadFile  base/frameworks/input.bro/bro
-0.000000 | HookLoadFile  base/frameworks/intel.bro/bro
-0.000000 | HookLoadFile  base/frameworks/logging.bro/bro
-0.000000 | HookLoadFile  base/frameworks/logging.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/notice.bro/bro
-0.000000 | HookLoadFile  base/frameworks/packet-filter.bro/bro
-0.000000 | HookLoadFile  base/frameworks/packet-filter.bro/bro
-0.000000 | HookLoadFile  base/frameworks/packet-filter/utils.bro/bro
-0.000000 | HookLoadFile  base/frameworks/reporter.bro/bro
-0.000000 | HookLoadFile  base/frameworks/reporter.bro/bro
-0.000000 | HookLoadFile  base/frameworks/signatures.bro/bro
-0.000000 | HookLoadFile  base/frameworks/software.bro/bro
-0.000000 | HookLoadFile  base/frameworks/sumstats.bro/bro
-0.000000 | HookLoadFile  base/frameworks/sumstats.bro/bro
-0.000000 | HookLoadFile  base/frameworks/sumstats.bro/bro
-0.000000 | HookLoadFile  base/frameworks/sumstats.bro/bro
-0.000000 | HookLoadFile  base/frameworks/sumstats/main.bro/bro
-0.000000 | HookLoadFile  base/frameworks/tunnels.bro/bro
-0.000000 | HookLoadFile  base/frameworks/tunnels.bro/bro
-0.000000 | HookLoadFile  base/frameworks/tunnels.bro/bro
-0.000000 | HookLoadFile  base/init-default.bro/bro
-0.000000 | HookLoadFile  base/misc/find-checksum-offloading.bro/bro
-0.000000 | HookLoadFile  base/misc/find-filtered-trace.bro/bro
-0.000000 | HookLoadFile  base/protocols/conn.bro/bro
-0.000000 | HookLoadFile  base/protocols/conn.bro/bro
-0.000000 | HookLoadFile  base/protocols/conn.bro/bro
-0.000000 | HookLoadFile  base/protocols/dhcp.bro/bro
-0.000000 | HookLoadFile  base/protocols/dnp3.bro/bro
-0.000000 | HookLoadFile  base/protocols/dns.bro/bro
-0.000000 | HookLoadFile  base/protocols/ftp.bro/bro
-0.000000 | HookLoadFile  base/protocols/http.bro/bro
-0.000000 | HookLoadFile  base/protocols/irc.bro/bro
-0.000000 | HookLoadFile  base/protocols/modbus.bro/bro
-0.000000 | HookLoadFile  base/protocols/pop3.bro/bro
-0.000000 | HookLoadFile  base/protocols/radius.bro/bro
-0.000000 | HookLoadFile  base/protocols/smtp.bro/bro
-0.000000 | HookLoadFile  base/protocols/snmp.bro/bro
-0.000000 | HookLoadFile  base/protocols/socks.bro/bro
-0.000000 | HookLoadFile  base/protocols/ssh.bro/bro
-0.000000 | HookLoadFile  base/protocols/ssl.bro/bro
-0.000000 | HookLoadFile  base/protocols/ssl.bro/bro
-0.000000 | HookLoadFile  base/protocols/ssl.bro/bro
-0.000000 | HookLoadFile  base/protocols/syslog.bro/bro
-0.000000 | HookLoadFile  base/protocols/tunnels.bro/bro
-0.000000 | HookLoadFile  base/utils/active-http.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/addrs.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/conn-ids.bro/bro
-0.000000 | HookLoadFile  base/utils/dir.bro/bro
-0.000000 | HookLoadFile  base/utils/dir.bro/bro
-0.000000 | HookLoadFile  base/utils/directions-and-hosts.bro/bro
-0.000000 | HookLoadFile  base/utils/directions-and-hosts.bro/bro
-0.000000 | HookLoadFile  base/utils/directions-and-hosts.bro/bro
-0.000000 | HookLoadFile  base/utils/directions-and-hosts.bro/bro
-0.000000 | HookLoadFile  base/utils/exec.bro/bro
-0.000000 | HookLoadFile  base/utils/exec.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/files.bro/bro
-0.000000 | HookLoadFile  base/utils/numbers.bro/bro
-0.000000 | HookLoadFile  base/utils/numbers.bro/bro
-0.000000 | HookLoadFile  base/utils/numbers.bro/bro
-0.000000 | HookLoadFile  base/utils/numbers.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/paths.bro/bro
-0.000000 | HookLoadFile  base/utils/patterns.bro/bro
-0.000000 | HookLoadFile  base/utils/queue.bro/bro
-0.000000 | HookLoadFile  base/utils/queue.bro/bro
-0.000000 | HookLoadFile  base/utils/queue.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/site.bro/bro
-0.000000 | HookLoadFile  base/utils/strings.bro/bro
-0.000000 | HookLoadFile  base/utils/strings.bro/bro
-0.000000 | HookLoadFile  base/utils/strings.bro/bro
-0.000000 | HookLoadFile  base/utils/thresholds.bro/bro
-0.000000 | HookLoadFile  base/utils/thresholds.bro/bro
-0.000000 | HookLoadFile  base/utils/time.bro/bro
-0.000000 | HookLoadFile  base/utils/urls.bro/bro
-0.000000 | HookQueueEvent zeek_init()
-0.000000 | HookQueueEvent filter_change_tracking()
-1362692526.869344   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  DrainEvents() -> <void>
-1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
-1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   DrainEvents()
-1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
-1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
-1362692526.869344 | HookCallFunction ChecksumOffloading::check()
-1362692526.869344 | HookCallFunction filter_change_tracking()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookDrainEvents
-1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
-1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.0, service={}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939084   MetaHookPost  CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
-1362692526.939084   MetaHookPre   CallFunction(connection_established, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
-1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1362692526.869344, duration=0.06974, service={}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939378   MetaHookPost  DrainEvents() -> <void>
-1362692526.939378   MetaHookPost  DrainEvents() -> <void>
-1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
-1362692526.939378   MetaHookPre   DrainEvents()
-1362692526.939378   MetaHookPre   DrainEvents()
-1362692526.939378   MetaHookPre   UpdateNetworkTime(1362692526.939378)
-1362692526.939378  | HookUpdateNetworkTime 1362692526.939378
-1362692526.939378 | HookDrainEvents
-1362692526.939378 | HookDrainEvents
-1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1)) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <null>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <null>
-1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1)) -> false
-1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
-1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-1362692526.939527   MetaHookPre   CallFunction(http_request, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
-1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
-1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
-1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, T)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
-1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1)
-1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
-1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, ACCEPT, */*)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, USER-AGENT, Wget/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
-1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0], start_time=1362692526.869344, duration=0.070183, service={HTTP}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, /download/CHANGES.bro-aux.txt, /download/CHANGES.bro-aux.txt, 1.1)
-1362692527.008509   MetaHookPost  DrainEvents() -> <void>
-1362692527.008509   MetaHookPost  DrainEvents() -> <void>
-1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
-1362692527.008509   MetaHookPre   DrainEvents()
-1362692527.008509   MetaHookPre   DrainEvents()
-1362692527.008509   MetaHookPre   UpdateNetworkTime(1362692527.008509)
-1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
-1362692527.008509 | HookDrainEvents
-1362692527.008509 | HookDrainEvents
-1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora))) -> <null>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
-1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora))) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
-1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
-1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora)))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
-1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora)))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
-1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
-1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
-1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora))
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-TYPE, text/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, SERVER, Apache/2.4.3 (Fedora))
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0], start_time=1362692526.869344, duration=0.140168, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-1362692527.009721   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], text/plain)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <null>
-1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009721   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009721   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
-1362692527.009721   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], text/plain))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   UpdateNetworkTime(1362692527.009721)
-1362692527.009721  | HookUpdateNetworkTime 1362692527.009721
-1362692527.009721 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], text/plain)
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009721, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009765   MetaHookPost  DrainEvents() -> <void>
-1362692527.009765   MetaHookPost  DrainEvents() -> <void>
-1362692527.009765   MetaHookPost  UpdateNetworkTime(1362692527.009765) -> <void>
-1362692527.009765   MetaHookPre   DrainEvents()
-1362692527.009765   MetaHookPre   DrainEvents()
-1362692527.009765   MetaHookPre   UpdateNetworkTime(1362692527.009765)
-1362692527.009765  | HookUpdateNetworkTime 1362692527.009765
-1362692527.009765 | HookDrainEvents
-1362692527.009765 | HookDrainEvents
-1362692527.009775   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <null>
-1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
-1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
-1362692527.009775   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-1362692527.009775   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
-1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
-1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
-1362692527.009775 | HookCallFunction Log::default_path_func(HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
-1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
-1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=2896, state=4, num_pkts=3, num_bytes_ip=1612, flow_label=0], start_time=1362692526.869344, duration=0.140377, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009775, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0], start_time=1362692526.869344, duration=0.140431, service={HTTP}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
-1362692527.009855   MetaHookPost  DrainEvents() -> <void>
-1362692527.009855   MetaHookPost  DrainEvents() -> <void>
-1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
-1362692527.009855   MetaHookPre   DrainEvents()
-1362692527.009855   MetaHookPre   DrainEvents()
-1362692527.009855   MetaHookPre   UpdateNetworkTime(1362692527.009855)
-1362692527.009855  | HookUpdateNetworkTime 1362692527.009855
-1362692527.009855 | HookDrainEvents
-1362692527.009855 | HookDrainEvents
-1362692527.009887   MetaHookPost  DrainEvents() -> <void>
-1362692527.009887   MetaHookPost  DrainEvents() -> <void>
-1362692527.009887   MetaHookPost  UpdateNetworkTime(1362692527.009887) -> <void>
-1362692527.009887   MetaHookPre   DrainEvents()
-1362692527.009887   MetaHookPre   DrainEvents()
-1362692527.009887   MetaHookPre   UpdateNetworkTime(1362692527.009887)
-1362692527.009887  | HookUpdateNetworkTime 1362692527.009887
-1362692527.009887 | HookDrainEvents
-1362692527.009887 | HookDrainEvents
-1362692527.011846   MetaHookPost  DrainEvents() -> <void>
-1362692527.011846   MetaHookPost  DrainEvents() -> <void>
-1362692527.011846   MetaHookPost  UpdateNetworkTime(1362692527.011846) -> <void>
-1362692527.011846   MetaHookPre   DrainEvents()
-1362692527.011846   MetaHookPre   DrainEvents()
-1362692527.011846   MetaHookPre   UpdateNetworkTime(1362692527.011846)
-1362692527.011846  | HookUpdateNetworkTime 1362692527.011846
-1362692527.011846 | HookDrainEvents
-1362692527.011846 | HookDrainEvents
-1362692527.080828   MetaHookPost  DrainEvents() -> <void>
-1362692527.080828   MetaHookPost  DrainEvents() -> <void>
-1362692527.080828   MetaHookPost  UpdateNetworkTime(1362692527.080828) -> <void>
-1362692527.080828   MetaHookPre   DrainEvents()
-1362692527.080828   MetaHookPre   DrainEvents()
-1362692527.080828   MetaHookPre   UpdateNetworkTime(1362692527.080828)
-1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
-1362692527.080828 | HookDrainEvents
-1362692527.080828 | HookDrainEvents
-1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(zeek_done, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, ()) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <null>
-1362692527.080972   MetaHookPost  CallFunction(net_done, (1362692527.080972)) -> <null>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  DrainEvents() -> <void>
-1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(zeek_done()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
-1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(Log::default_path_func, (Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, (Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(zeek_done, ())
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, ())
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-1362692527.080972   MetaHookPre   CallFunction(net_done, (1362692527.080972))
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   DrainEvents()
-1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-1362692527.080972   MetaHookPre   QueueEvent(zeek_done())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
-1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
-1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}], extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction Log::default_path_func(Conn::LOG, , [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction zeek_done()
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction filter_change_tracking()
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-1362692527.080972 | HookCallFunction net_done(1362692527.080972)
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookDrainEvents
-1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
-1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
-1362692527.080972 | HookQueueEvent zeek_done()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={HTTP}, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index e334d7f6c6..43bed82a1e 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -9,7 +9,7 @@
 scripts/base/init-bare.zeek
   build/scripts/base/bif/const.bif.zeek
   build/scripts/base/bif/types.bif.zeek
-  build/scripts/base/bif/bro.bif.zeek
+  build/scripts/base/bif/zeek.bif.zeek
   build/scripts/base/bif/stats.bif.zeek
   build/scripts/base/bif/reporter.bif.zeek
   build/scripts/base/bif/strings.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 0b49a08672..4b9b9c9606 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -9,7 +9,7 @@
 scripts/base/init-bare.zeek
   build/scripts/base/bif/const.bif.zeek
   build/scripts/base/bif/types.bif.zeek
-  build/scripts/base/bif/bro.bif.zeek
+  build/scripts/base/bif/zeek.bif.zeek
   build/scripts/base/bif/stats.bif.zeek
   build/scripts/base/bif/reporter.bif.zeek
   build/scripts/base/bif/strings.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index f8aad72732..48c6f85694 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -273,7 +273,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -450,7 +450,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -690,7 +690,6 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/benchmark.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/binary.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/bloom-filter.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/bro.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/broker.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/cardinality-counter.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/comm.bif.zeek) -> -1
@@ -769,6 +768,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/utils.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/variance.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/weird.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/zeek.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/zeekygen.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/__load__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.zeek) -> -1
@@ -780,7 +780,6 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/bif) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/bro.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif.zeek) -> -1
@@ -870,6 +869,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/weird.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/zeek.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/archive.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/audio.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, .<...>/dpd.sig) -> -1
@@ -1159,7 +1159,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1336,7 +1336,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1576,7 +1576,6 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/benchmark.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/binary.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/bloom-filter.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/bro.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/broker.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/cardinality-counter.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/comm.bif.zeek)
@@ -1655,6 +1654,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/utils.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/variance.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/weird.zeek)
+0.000000   MetaHookPre   LoadFile(0, .<...>/zeek.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/zeekygen.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/__load__.zeek)
 0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.zeek)
@@ -1666,7 +1666,6 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/bif)
-0.000000   MetaHookPre   LoadFile(0, base<...>/bro.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/broker)
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster)
 0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif.zeek)
@@ -1756,6 +1755,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/weird.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/x509)
 0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/zeek.bif.zeek)
 0.000000   MetaHookPre   LoadFile(1, .<...>/archive.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/audio.sig)
 0.000000   MetaHookPre   LoadFile(1, .<...>/dpd.sig)
@@ -2044,7 +2044,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2221,7 +2221,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2463,7 +2463,6 @@
 0.000000 | HookLoadFile  .<...>/benchmark.zeek
 0.000000 | HookLoadFile  .<...>/binary.zeek
 0.000000 | HookLoadFile  .<...>/bloom-filter.bif.zeek
-0.000000 | HookLoadFile  .<...>/bro.bif.zeek
 0.000000 | HookLoadFile  .<...>/broker.zeek
 0.000000 | HookLoadFile  .<...>/cardinality-counter.bif.zeek
 0.000000 | HookLoadFile  .<...>/comm.bif.zeek
@@ -2549,6 +2548,7 @@
 0.000000 | HookLoadFile  .<...>/variance.zeek
 0.000000 | HookLoadFile  .<...>/video.sig
 0.000000 | HookLoadFile  .<...>/weird.zeek
+0.000000 | HookLoadFile  .<...>/zeek.bif.zeek
 0.000000 | HookLoadFile  .<...>/zeekygen.bif.zeek
 0.000000 | HookLoadFile  <...>/__load__.zeek
 0.000000 | HookLoadFile  <...>/__preload__.zeek
@@ -2560,7 +2560,6 @@
 0.000000 | HookLoadFile  base<...>/analyzer
 0.000000 | HookLoadFile  base<...>/analyzer.bif.zeek
 0.000000 | HookLoadFile  base<...>/bif
-0.000000 | HookLoadFile  base<...>/bro.bif.zeek
 0.000000 | HookLoadFile  base<...>/broker
 0.000000 | HookLoadFile  base<...>/cluster
 0.000000 | HookLoadFile  base<...>/comm.bif.zeek
@@ -2650,8 +2649,9 @@
 0.000000 | HookLoadFile  base<...>/weird.zeek
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
+0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1560564690.769635, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1560566824.729868, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()

From 11cbda558971c358f0fb160754f116963b4763b9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 14 Jun 2019 20:28:25 -0700
Subject: [PATCH 69/91] Updating submodule(s).

 [nomail]
---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index f77e0400ff..9731431868 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit f77e0400ff0057c8461a1dd0658b83de186e6a6b
+Subproject commit 9731431868ad9af6b21e9e0ee9c086e409a56242

From 0ae1bfa29d9b413e8e385c17c6a59c9ac57c17a4 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer2@gmail.com>
Date: Sun, 16 Jun 2019 23:06:21 -0500
Subject: [PATCH 70/91] Rename bro to zeek in error messages

More renaming in error messages and a few other places.
---
 src/CMakeLists.txt                   | 4 ++--
 src/Debug.cc                         | 2 +-
 src/DebugCmdInfoConstants.cc         | 2 +-
 src/DebugCmdInfoConstants.in         | 2 +-
 src/DebugLogger.cc                   | 2 +-
 src/Hash.cc                          | 2 +-
 src/Serializer.cc                    | 2 +-
 src/broker/comm.bif                  | 2 +-
 src/input/readers/sqlite/SQLite.cc   | 2 +-
 src/logging/writers/sqlite/SQLite.cc | 2 +-
 src/zeekygen/Manager.cc              | 2 +-
 11 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ab94f512f5..f014d0a149 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -10,8 +10,8 @@ set(bro_ALL_GENERATED_OUTPUTS  CACHE INTERNAL "automatically generated files" FO
 set(bro_AUTO_BIFS     CACHE INTERNAL "BIFs for automatic inclusion" FORCE)
 set(bro_REGISTER_BIFS CACHE INTERNAL "BIFs for automatic registering" FORCE)
 
-set(bro_BASE_BIF_SCRIPTS CACHE INTERNAL "Bro script stubs for BIFs in base distribution of Bro" FORCE)
-set(bro_PLUGIN_BIF_SCRIPTS CACHE INTERNAL "Bro script stubs for BIFs in Bro plugins" FORCE)
+set(bro_BASE_BIF_SCRIPTS CACHE INTERNAL "Zeek script stubs for BIFs in base distribution of Zeek" FORCE)
+set(bro_PLUGIN_BIF_SCRIPTS CACHE INTERNAL "Zeek script stubs for BIFs in Zeek plugins" FORCE)
 
 # If TRUE, use CMake's object libraries for sub-directories instead of
 # static libraries. This requires CMake >= 2.8.8.
diff --git a/src/Debug.cc b/src/Debug.cc
index 5493b20797..bf23ff105b 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -721,7 +721,7 @@ static char* get_prompt(bool reset_counter = false)
 	if ( reset_counter )
 		counter = 0;
 
-	safe_snprintf(prompt, sizeof(prompt), "(Bro [%d]) ", counter++);
+	safe_snprintf(prompt, sizeof(prompt), "(Zeek [%d]) ", counter++);
 
 	return prompt;
 	}
diff --git a/src/DebugCmdInfoConstants.cc b/src/DebugCmdInfoConstants.cc
index 13b83049ab..c947b3a1fd 100644
--- a/src/DebugCmdInfoConstants.cc
+++ b/src/DebugCmdInfoConstants.cc
@@ -35,7 +35,7 @@ void init_global_dbg_constants () {
 	"quit"
       };
 
-      info = new DebugCmdInfo (dcQuit, names, 1, false, "Exit Bro",
+      info = new DebugCmdInfo (dcQuit, names, 1, false, "Exit Zeek",
                                false);
       g_DebugCmdInfos.push_back(info);
    }
diff --git a/src/DebugCmdInfoConstants.in b/src/DebugCmdInfoConstants.in
index 339733c645..ad90d7ed83 100644
--- a/src/DebugCmdInfoConstants.in
+++ b/src/DebugCmdInfoConstants.in
@@ -13,7 +13,7 @@ help: Get help with debugger commands
 cmd: dcQuit
 names: quit
 resume: false
-help: Exit Bro
+help: Exit Zeek
 
 cmd: dcNext
 names: next
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 7adc7aa65a..d92b5e0ddf 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -72,7 +72,7 @@ void DebugLogger::ShowStreamsHelp()
 		fprintf(stderr,"  %s\n", streams[i].prefix);
 
 	fprintf(stderr, "\n");
-	fprintf(stderr, "  plugin-<plugin-name>   (replace '::' in name with '-'; e.g., '-B plugin-Bro-Netmap')\n");
+	fprintf(stderr, "  plugin-<plugin-name>   (replace '::' in name with '-'; e.g., '-B plugin-Zeek-Netmap')\n");
 	fprintf(stderr, "\n");
 	fprintf(stderr, "Pseudo streams\n");
 	fprintf(stderr, "  verbose  Increase verbosity.\n");
diff --git a/src/Hash.cc b/src/Hash.cc
index 1955684738..a40dc4d2f8 100644
--- a/src/Hash.cc
+++ b/src/Hash.cc
@@ -26,7 +26,7 @@ void init_hash_function()
 	{
 	// Make sure we have already called init_random_seed().
 	if ( ! (hmac_key_set && siphash_key_set) )
-		reporter->InternalError("Bro's hash functions aren't fully initialized");
+		reporter->InternalError("Zeek's hash functions aren't fully initialized");
 	}
 
 HashKey::HashKey(bro_int_t i)
diff --git a/src/Serializer.cc b/src/Serializer.cc
index 28dc6bbd01..2b9860ca08 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -887,7 +887,7 @@ bool FileSerializer::ReadHeader(UnserialInfo* info)
 
 	if ( magic != htonl(MAGIC) )
 		{
-		Error(fmt("%s is not a bro state file", file));
+		Error(fmt("%s is not a Zeek state file", file));
 		CloseFile();
 		return false;
 		}
diff --git a/src/broker/comm.bif b/src/broker/comm.bif
index 19be90befc..660701e058 100644
--- a/src/broker/comm.bif
+++ b/src/broker/comm.bif
@@ -1,5 +1,5 @@
 
-##! Functions and events regarding Bro's broker communication mechanisms.
+##! Functions and events regarding broker communication mechanisms.
 
 %%{
 #include "broker/Manager.h"
diff --git a/src/input/readers/sqlite/SQLite.cc b/src/input/readers/sqlite/SQLite.cc
index 1d016867b2..8dcaed61c0 100644
--- a/src/input/readers/sqlite/SQLite.cc
+++ b/src/input/readers/sqlite/SQLite.cc
@@ -71,7 +71,7 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 	{
 	if ( sqlite3_threadsafe() == 0 )
 		{
-		Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting");
+		Error("SQLite reports that it is not threadsafe. Zeek needs a threadsafe version of SQLite. Aborting");
 		return false;
 		}
 
diff --git a/src/logging/writers/sqlite/SQLite.cc b/src/logging/writers/sqlite/SQLite.cc
index 3374c05c9c..48930a6225 100644
--- a/src/logging/writers/sqlite/SQLite.cc
+++ b/src/logging/writers/sqlite/SQLite.cc
@@ -116,7 +116,7 @@ bool SQLite::DoInit(const WriterInfo& info, int arg_num_fields,
 	{
 	if ( sqlite3_threadsafe() == 0 )
 		{
-		Error("SQLite reports that it is not threadsafe. Bro needs a threadsafe version of SQLite. Aborting");
+		Error("SQLite reports that it is not threadsafe. Zeek needs a threadsafe version of SQLite. Aborting");
 		return false;
 		}
 
diff --git a/src/zeekygen/Manager.cc b/src/zeekygen/Manager.cc
index df464213ca..52fdd64613 100644
--- a/src/zeekygen/Manager.cc
+++ b/src/zeekygen/Manager.cc
@@ -83,7 +83,7 @@ Manager::Manager(const string& arg_config, const string& bro_command)
 	// a PATH component that starts with a tilde (such as "~/bin").  A simple
 	// workaround is to just run bro with a relative or absolute path.
 	if ( path_to_bro.empty() || stat(path_to_bro.c_str(), &s) < 0 )
-		reporter->InternalError("Zeekygen can't get mtime of bro binary %s (try again by specifying the absolute or relative path to Bro): %s",
+		reporter->InternalError("Zeekygen can't get mtime of zeek binary %s (try again by specifying the absolute or relative path to Zeek): %s",
 		                        path_to_bro.c_str(), strerror(errno));
 
 	bro_mtime = s.st_mtime;

From 01e662b3e0f130543aa698e9c57be00b965d1924 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Sat, 15 Jun 2019 21:19:21 +0000
Subject: [PATCH 71/91] Reimplement serialization infrastructure for
 OpaqueVals.

We need this to sender through Broker, and we also leverage it for
cloning opaques. The serialization methods now produce Broker data
instances directly, and no longer go through the binary formatter.

Summary of the new API for types derived from OpaqueVal:

    - Add DECLARE_OPAQUE_VALUE(<class>) to the class declaration
    - Add IMPLEMENT_OPAQUE_VALUE(<class>) to the class' implementation file
    - Implement these two methods (which are declated by the 1st macro):
        - broker::data DoSerialize() const
        - bool DoUnserialize(const broker::data& data)

This machinery should work correctly from dynamic plugins as well.

OpaqueVal provides a default implementation of DoClone() as well that
goes through serialization. Derived classes can provide a more
efficient version if they want.

The declaration of the "OpaqueVal" class has moved into the header
file "OpaqueVal.h", along with the new serialization infrastructure.
This is breaking existing code that relies on the location, but
because the API is changing anyways that seems fine.

This adds an internal BiF
"Broker::__opaque_clone_through_serialization" that does what the name
says: deep-copying an opaque by serializing, then-deserializing. That
can be used to tests the new functionality from btests.

Not quite done yet. TODO:
    - Not all tests pass yet:
        [  0%] language.named-set-ctors ... failed
        [ 16%] language.copy-all-opaques ... failed
        [ 33%] language.set-type-checking ... failed
        [ 50%] language.table-init-container-ctors ... failed
        [ 66%] coverage.sphinx-zeekygen-docs ... failed
        [ 83%] scripts.base.frameworks.sumstats.basic-cluster ... failed

      (Some of the serialization may still be buggy.)

    - Clean up the code a bit more.
---
 src/OpaqueVal.cc                             | 530 +++++++++++++++++++
 src/OpaqueVal.h                              | 148 +++++-
 src/Val.cc                                   |  20 +-
 src/Val.h                                    |  21 +-
 src/broker/Data.cc                           | 142 ++++-
 src/broker/Data.h                            |  20 +-
 src/broker/Store.cc                          |  14 +
 src/broker/Store.h                           |   4 +-
 src/broker/data.bif                          |  14 +
 src/file_analysis/analyzer/x509/OCSP.cc      |  28 +
 src/file_analysis/analyzer/x509/OCSP.h       |   4 +-
 src/file_analysis/analyzer/x509/X509.cc      |  29 +
 src/file_analysis/analyzer/x509/X509.h       |   3 +-
 src/probabilistic/BitVector.cc               |  41 ++
 src/probabilistic/BitVector.h                |   5 +
 src/probabilistic/BloomFilter.cc             |  83 +++
 src/probabilistic/BloomFilter.h              |  25 +
 src/probabilistic/CardinalityCounter.cc      |  41 ++
 src/probabilistic/CardinalityCounter.h       |   3 +
 src/probabilistic/CounterVector.cc           |  26 +
 src/probabilistic/CounterVector.h            |   5 +
 src/probabilistic/Hasher.cc                  |  41 ++
 src/probabilistic/Hasher.h                   |  19 +
 src/probabilistic/Topk.cc                    | 125 ++++-
 src/probabilistic/Topk.h                     |   2 +
 testing/btest/Baseline/broker.opaque/.stderr |   1 +
 testing/btest/Baseline/broker.opaque/out     |  53 ++
 testing/btest/broker/opaque.zeek             | 161 ++++++
 28 files changed, 1556 insertions(+), 52 deletions(-)
 create mode 100644 testing/btest/Baseline/broker.opaque/.stderr
 create mode 100644 testing/btest/Baseline/broker.opaque/out
 create mode 100644 testing/btest/broker/opaque.zeek

diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index 7e65cfe35c..360041ef09 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -6,6 +6,147 @@
 #include "probabilistic/BloomFilter.h"
 #include "probabilistic/CardinalityCounter.h"
 
+// Helper to retrieve a broker value out of a broker::vector at a specified
+// index, and casted to the expected destination type.
+template<typename S, typename V, typename D>
+inline bool get_vector_idx(const V& v, unsigned int i, D* dst)
+	{
+	if ( i >= v.size() )
+		return false;
+
+	auto x = caf::get_if<S>(&v[i]);
+	if ( ! x )
+		return false;
+
+	*dst = static_cast<D>(*x);
+	return true;
+	}
+
+OpaqueMgr* OpaqueMgr::mgr()
+	{
+	static OpaqueMgr mgr;
+	return &mgr;
+	}
+
+OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t)
+	{
+	}
+
+OpaqueVal::~OpaqueVal()
+	{
+	}
+
+const std::string& OpaqueMgr::TypeID(const OpaqueVal* v) const
+	{
+	auto x = _types.find(v->OpaqueName());
+
+	if ( x == _types.end() )
+		reporter->InternalError(fmt("OpaqueMgr::TypeID: opaque type %s not registered",
+					v->OpaqueName()));
+
+	return x->first;
+	}
+
+OpaqueVal* OpaqueMgr::Instantiate(const std::string& id) const
+	{
+	auto x = _types.find(id);
+	return x != _types.end() ? (*x->second)() : nullptr;
+	}
+
+broker::expected<broker::data> OpaqueVal::Serialize() const
+	{
+	auto type = OpaqueMgr::mgr()->TypeID(this);
+
+	auto d = DoSerialize();
+	if ( d == broker::none() )
+		return broker::ec::invalid_data; // Cannot serialize
+
+	return {broker::vector{std::move(type), std::move(d)}};
+	}
+
+OpaqueVal* OpaqueVal::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() == 2) )
+		return nullptr;
+
+	auto type = caf::get_if<std::string>(&(*v)[0]);
+	if ( ! type )
+		return nullptr;
+
+	auto val = OpaqueMgr::mgr()->Instantiate(*type);
+	if ( ! val )
+		return nullptr;
+
+	if ( ! val->DoUnserialize((*v)[1]) )
+		{
+		Unref(val);
+		return nullptr;
+		}
+
+	return val;
+	}
+
+broker::data OpaqueVal::SerializeType(BroType* t)
+	{
+	if ( t->InternalType() == TYPE_INTERNAL_ERROR )
+		return broker::none();
+
+	if ( t->InternalType() == TYPE_INTERNAL_OTHER )
+		{
+		// Serialize by name.
+		assert(t->GetName().size());
+		return broker::vector{true, t->GetName()};
+		}
+
+	// A base type.
+	return broker::vector{false, static_cast<uint64>(t->Tag())};
+	}
+
+BroType* OpaqueVal::UnserializeType(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() == 2) )
+		return nullptr;
+
+	auto by_name = caf::get_if<bool>(&(*v)[0]);
+	if ( ! by_name )
+		return nullptr;
+
+	if ( *by_name )
+		{
+		auto name = caf::get_if<std::string>(&(*v)[1]);
+		if ( ! name )
+			return nullptr;
+
+		ID* id = global_scope()->Lookup(name->c_str());
+                if ( ! id )
+			return nullptr;
+
+                BroType* t = id->AsType();
+                if ( ! t )
+			return nullptr;
+
+                return t->Ref();
+		}
+
+	auto tag = caf::get_if<uint64>(&(*v)[1]);
+	if ( ! tag )
+		return nullptr;
+
+	return base_type(static_cast<TypeTag>(*tag));
+	}
+
+Val* OpaqueVal::DoClone(CloneState* state)
+	{
+	auto d = OpaqueVal::Serialize();
+	if ( ! d )
+		return nullptr;
+
+	return OpaqueVal::Unserialize(std::move(*d));
+	}
+
 bool HashVal::IsValid() const
 	{
 	return valid;
@@ -145,6 +286,75 @@ StringVal* MD5Val::DoGet()
 	return new StringVal(md5_digest_print(digest));
 	}
 
+IMPLEMENT_OPAQUE_VALUE(MD5Val)
+
+broker::data MD5Val::DoSerialize() const
+	{
+	if ( ! IsValid() )
+		return broker::vector{false};
+
+	MD5_CTX* md = (MD5_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	broker::vector d = {
+	    true,
+	    static_cast<uint64>(md->A),
+	    static_cast<uint64>(md->B),
+	    static_cast<uint64>(md->C),
+	    static_cast<uint64>(md->D),
+	    static_cast<uint64>(md->Nl),
+	    static_cast<uint64>(md->Nh),
+	    static_cast<uint64>(md->num)
+	};
+
+	for ( int i = 0; i < MD5_LBLOCK; ++i )
+		d.emplace_back(static_cast<uint64>(md->data[i]));
+
+	return d;
+	}
+
+bool MD5Val::DoUnserialize(const broker::data& data)
+	{
+	auto d = caf::get_if<broker::vector>(&data);
+	if ( ! d )
+		return false;
+
+	auto valid = caf::get_if<bool>(&(*d)[0]);
+	if ( ! valid )
+		return false;
+
+	if ( ! *valid )
+		{
+		assert(! IsValid()); // default set by ctor
+		return true;
+		}
+
+	Init();
+	MD5_CTX* md = (MD5_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->A) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->B) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->C) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->D) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 5, &md->Nl) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 6, &md->Nh) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 7, &md->num) )
+		return false;
+
+	for ( int i = 0; i < MD5_LBLOCK; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 8 + i, &md->data[i]) )
+			return false;
+		}
+
+	return true;
+	}
+
 SHA1Val::SHA1Val() : HashVal(sha1_type)
 	{
 	}
@@ -217,6 +427,78 @@ StringVal* SHA1Val::DoGet()
 	return new StringVal(sha1_digest_print(digest));
 	}
 
+IMPLEMENT_OPAQUE_VALUE(SHA1Val)
+
+broker::data SHA1Val::DoSerialize() const
+	{
+	if ( ! IsValid() )
+		return broker::vector{false};
+
+	SHA_CTX* md = (SHA_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	broker::vector d = {
+	    true,
+	    static_cast<uint64>(md->h0),
+	    static_cast<uint64>(md->h1),
+	    static_cast<uint64>(md->h2),
+	    static_cast<uint64>(md->h3),
+	    static_cast<uint64>(md->h4),
+	    static_cast<uint64>(md->Nl),
+	    static_cast<uint64>(md->Nh),
+	    static_cast<uint64>(md->num)
+	};
+
+	for ( int i = 0; i < SHA_LBLOCK; ++i )
+		d.emplace_back(static_cast<uint64>(md->data[i]));
+
+	return d;
+	}
+
+bool SHA1Val::DoUnserialize(const broker::data& data)
+	{
+	auto d = caf::get_if<broker::vector>(&data);
+	if ( ! d )
+		return false;
+
+	auto valid = caf::get_if<bool>(&(*d)[0]);
+	if ( ! valid )
+		return false;
+
+	if ( ! *valid )
+		{
+		assert(! IsValid()); // default set by ctor
+		return true;
+		}
+
+	Init();
+	SHA_CTX* md = (SHA_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->h0) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->h1) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->h2) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->h3) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 5, &md->h4) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 6, &md->Nl) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 7, &md->Nh) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 8, &md->num) )
+		return false;
+
+	for ( int i = 0; i < SHA_LBLOCK; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 9 + i, &md->data[i]) )
+			return false;
+		}
+
+	return true;
+	}
+
 SHA256Val::SHA256Val() : HashVal(sha256_type)
 	{
 	}
@@ -289,6 +571,75 @@ StringVal* SHA256Val::DoGet()
 	return new StringVal(sha256_digest_print(digest));
 	}
 
+IMPLEMENT_OPAQUE_VALUE(SHA256Val)
+
+broker::data SHA256Val::DoSerialize() const
+	{
+	if ( ! IsValid() )
+		return broker::vector{false};
+
+	SHA256_CTX* md = (SHA256_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	broker::vector d = {
+	    true,
+	    static_cast<uint64>(md->Nl),
+	    static_cast<uint64>(md->Nh),
+	    static_cast<uint64>(md->num),
+	    static_cast<uint64>(md->md_len)
+	};
+
+	for ( int i = 0; i < 8; ++i )
+		d.emplace_back(static_cast<uint64>(md->h[i]));
+
+	for ( int i = 0; i < SHA_LBLOCK; ++i )
+		d.emplace_back(static_cast<uint64>(md->data[i]));
+
+	return d;
+	}
+
+bool SHA256Val::DoUnserialize(const broker::data& data)
+	{
+	auto d = caf::get_if<broker::vector>(&data);
+	if ( ! d )
+		return false;
+
+	auto valid = caf::get_if<bool>(&(*d)[0]);
+	if ( ! valid )
+		return false;
+
+	if ( ! *valid )
+		{
+		assert(! IsValid()); // default set by ctor
+		return true;
+		}
+
+	Init();
+	SHA256_CTX* md = (SHA256_CTX*) EVP_MD_CTX_md_data(ctx);
+
+	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->Nl) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->Nh) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->num) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->md_len) )
+		return false;
+
+	for ( int i = 0; i < 8; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 5 + i, &md->h[i]) )
+			return false;
+		}
+
+	for ( int i = 0; i < SHA_LBLOCK; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 13 + i, &md->data[i]) )
+			return false;
+		}
+
+	return true;
+	}
+
 EntropyVal::EntropyVal() : OpaqueVal(entropy_type)
 	{
 	}
@@ -312,6 +663,89 @@ bool EntropyVal::Get(double *r_ent, double *r_chisq, double *r_mean,
 	return true;
 	}
 
+IMPLEMENT_OPAQUE_VALUE(EntropyVal)
+
+broker::data EntropyVal::DoSerialize() const
+	{
+	broker::vector d =
+		{
+		static_cast<uint64>(state.totalc),
+		static_cast<uint64>(state.mp),
+		static_cast<uint64>(state.sccfirst),
+		static_cast<uint64>(state.inmont),
+		static_cast<uint64>(state.mcount),
+		static_cast<uint64>(state.cexp),
+		static_cast<uint64>(state.montex),
+		static_cast<uint64>(state.montey),
+		static_cast<uint64>(state.montepi),
+		static_cast<uint64>(state.sccu0),
+		static_cast<uint64>(state.scclast),
+		static_cast<uint64>(state.scct1),
+		static_cast<uint64>(state.scct2),
+		static_cast<uint64>(state.scct3),
+		};
+
+	d.reserve(256 + 3 + RT_MONTEN + 11);
+
+	for ( int i = 0; i < 256; ++i )
+		d.emplace_back(static_cast<uint64>(state.ccount[i]));
+
+        for ( int i = 0; i < RT_MONTEN; ++i )
+		d.emplace_back(static_cast<uint64>(state.monte[i]));
+
+	return d;
+	}
+
+bool EntropyVal::DoUnserialize(const broker::data& data)
+	{
+	auto d = caf::get_if<broker::vector>(&data);
+	if ( ! d )
+		return false;
+
+	if ( ! get_vector_idx<uint64_t>(*d, 0, &state.totalc) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 1, &state.mp) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 2, &state.sccfirst) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 3, &state.inmont) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 4, &state.mcount) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 5, &state.cexp) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 6, &state.montex) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 7, &state.montey) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 8, &state.montepi) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 9, &state.sccu0) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 10, &state.scclast) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 11, &state.scct1) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 12, &state.scct2) )
+		return false;
+	if ( ! get_vector_idx<uint64_t>(*d, 13, &state.scct3) )
+		return false;
+
+	for ( int i = 0; i < 256; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 14 + i, &state.ccount[i]) )
+			return false;
+		}
+
+	for ( int i = 0; i < RT_MONTEN; ++i )
+		{
+		if ( ! get_vector_idx<uint64_t>(*d, 14 + 256 + i, &state.monte[i]) )
+			return false;
+		}
+
+	return true;
+	}
+
 BloomFilterVal::BloomFilterVal()
 	: OpaqueVal(bloomfilter_type)
 	{
@@ -442,6 +876,54 @@ BloomFilterVal::~BloomFilterVal()
 	delete bloom_filter;
 	}
 
+IMPLEMENT_OPAQUE_VALUE(BloomFilterVal)
+
+broker::data BloomFilterVal::DoSerialize() const
+	{
+	broker::vector d;
+
+	if ( type )
+		{
+		auto t = SerializeType(type);
+		if ( t == broker::none() )
+			return broker::none();
+
+		d.emplace_back(t);
+		}
+	else
+		d.emplace_back(broker::none());
+
+	auto bf = bloom_filter->Serialize();
+	if ( ! bf )
+		return broker::none();
+
+	d.emplace_back(*bf);
+	return d;
+	}
+
+bool BloomFilterVal::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto no_type = caf::get_if<broker::none>(&(*v)[0]);
+	if ( ! no_type )
+		{
+		BroType* t = UnserializeType((*v)[0]);
+                if ( ! (t && Typify(t)) )
+			return false;
+		}
+
+	auto bf = probabilistic::BloomFilter::Unserialize((*v)[1]);
+	if ( ! bf )
+		return false;
+
+	bloom_filter = bf.release();
+	return true;
+	}
+
 CardinalityVal::CardinalityVal() : OpaqueVal(cardinality_type)
 	{
 	c = 0;
@@ -496,3 +978,51 @@ void CardinalityVal::Add(const Val* val)
 	c->AddElement(key->Hash());
 	delete key;
 	}
+
+IMPLEMENT_OPAQUE_VALUE(CardinalityVal)
+
+broker::data CardinalityVal::DoSerialize() const
+	{
+	broker::vector d;
+
+	if ( type )
+		{
+		auto t = SerializeType(type);
+		if ( t == broker::none() )
+			return broker::none();
+
+		d.emplace_back(t);
+		}
+	else
+		d.emplace_back(broker::none());
+
+	auto cs = c->Serialize();
+	if ( ! cs )
+		return broker::none();
+
+	d.emplace_back(*cs);
+	return d;
+	}
+
+bool CardinalityVal::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto no_type = caf::get_if<broker::none>(&(*v)[0]);
+	if ( ! no_type )
+		{
+		BroType* t = UnserializeType((*v)[0]);
+                if ( ! (t && Typify(t)) )
+			return false;
+		}
+
+	auto cu = probabilistic::CardinalityCounter::Unserialize((*v)[1]);
+	if ( ! cu )
+		return false;
+
+	c = cu.release();
+	return true;
+	}
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index c2fd1cf129..805cd1dad6 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -9,6 +9,145 @@
 #include "Val.h"
 #include "digest.h"
 
+class OpaqueVal;
+
+/**
+  * Singleton that registers all available all available types of opaque
+  * values. This faciliates their serialization into Broker values.
+  */
+class OpaqueMgr {
+public:
+	using Factory = OpaqueVal* ();
+
+	/**
+	 * Return's a unique ID for the type of an opaque value.
+
+	 * @param v opaque value to return type for; it's classmust have been
+	 * registered with the manager, otherwise this method will abort
+	 * execugtion.
+	 *
+	 * @return type ID, which can used with *Instantiate()* to create a
+	 * new
+	 * instnace of the same type.
+	 */
+	const std::string& TypeID(const OpaqueVal* v) const;
+
+	/**
+	 * Instantiates a new opaque value of a specific opaque type.
+	 *
+	 * @param id unique type ID for the class to instantiate; this will
+	 * normally have been returned earlier by *TypeID()*.
+	 *
+	 * @return A freshly instantiated value of the OpaqueVal-derived
+	 * classes that *id* specifies, with reference count at +1. If *id*
+	 * is unknown, this will return null.
+	 *
+	 */
+	OpaqueVal* Instantiate(const std::string& id) const;
+
+	/** Returns the global manager singleton object. */
+	static OpaqueMgr* mgr();
+
+	/**
+	 * Internal helper class to register an OpaqueVal-derived classes
+	 * with the manager.
+	 */
+	template<class T>
+	class Register {
+	public:
+		Register(const char* id)
+			{ OpaqueMgr::mgr()->_types.emplace(id, &T::OpaqueInstantiate); }
+	};
+
+private:
+	std::unordered_map<std::string, Factory*> _types;
+};
+
+/** Macro to insert into an OpaqueVal-derived class's declaration. */
+#define DECLARE_OPAQUE_VALUE(T)                            \
+    friend class OpaqueMgr::Register<T>;                   \
+    broker::data DoSerialize() const;                      \
+    bool DoUnserialize(const broker::data& data);          \
+    const char* OpaqueName() const override { return #T; } \
+    static OpaqueVal* OpaqueInstantiate() { return new T(); }
+
+#define __OPAQUE_MERGE(a, b) a ## b
+#define __OPAQUE_ID(x) __OPAQUE_MERGE(_opaque, x)
+
+/** Macro to insert into an OpaqueVal-derived class's implementation file. */
+#define IMPLEMENT_OPAQUE_VALUE(T) static OpaqueMgr::Register<T> __OPAQUE_ID(__LINE__)(#T);
+
+/**
+ * Base class for all opaque values. Opaque values are types that are managed
+ * completely internally, with no further script-level operators provided
+ * (other than bif functions). See OpaqueVal.h for derived classes.
+ */
+class OpaqueVal : public Val {
+public:
+	explicit OpaqueVal(OpaqueType* t);
+	~OpaqueVal() override;
+
+	/**
+	 * Serializes the value into a Broker representation.
+	 *
+	 * @return the broker representatio, or an error if serialization
+	 * isn't supported or failed.
+	 */
+	broker::expected<broker::data> Serialize() const;
+
+	/**
+	 * Reinstantiates a value from its serialized Broker representation.
+	 *
+	 * @param data Broker representation as returned by *Serialize()*.
+	 * @return unserialized instances with referecnce count at +1
+	 */
+	static OpaqueVal* Unserialize(const broker::data& data);
+
+protected:
+	friend class Val;
+	friend class OpaqueMgr;
+	OpaqueVal() { }
+
+	/**
+	 * Must be overriden to provide a serialized version of the derived
+	 * class' state. Returns 'broker::none()' if serialization fails, or
+	 * is not supported.
+	 */
+	virtual broker::data DoSerialize() const = 0;
+
+	/**
+	 * Must be overriden to recreate the the derived class' state from a
+	 * serialization. Returns true if successfull.
+	 */
+	virtual bool DoUnserialize(const broker::data& data) = 0;
+
+	/**
+	 * Internal helper for the serialization machinery. Automatically
+	 * overridden by the `DECLARE_OPAQUE_VALUE` macro.
+	 */
+	virtual const char* OpaqueName() const = 0;
+
+	/**
+	 * Provides an implementation of *Val::DoClone()* that leverages the
+	 * serialization methods to deep-copy an instance. Derived classes
+	 * may also override this with a more efficient custom clone
+	 * implementation of their own.
+	 */
+	Val* DoClone(CloneState* state) override;
+
+	/**
+	 * Helper function for derived class that need to record a type
+	 * during serialization. 
+	 */
+	static broker::data SerializeType(BroType* t);
+
+	/**
+	 * Helper function for derived class that need to restore a type
+	 * during unserialization. Returns the type at reference count +1.
+	 */
+	static BroType* UnserializeType(const broker::data& data);
+};
+
 namespace probabilistic {
 	class BloomFilter;
 	class CardinalityCounter;
@@ -22,7 +161,7 @@ public:
 	virtual StringVal* Get();
 
 protected:
-	HashVal() { };
+	HashVal()	{ valid = false; }
 	explicit HashVal(OpaqueType* t);
 
 	virtual bool DoInit();
@@ -54,6 +193,7 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
+	DECLARE_OPAQUE_VALUE(MD5Val)
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -74,6 +214,7 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
+	DECLARE_OPAQUE_VALUE(SHA1Val)
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -94,6 +235,7 @@ protected:
 	bool DoFeed(const void* data, size_t size) override;
 	StringVal* DoGet() override;
 
+	DECLARE_OPAQUE_VALUE(SHA256Val)
 private:
 	EVP_MD_CTX* ctx;
 };
@@ -111,6 +253,7 @@ public:
 protected:
 	friend class Val;
 
+	DECLARE_OPAQUE_VALUE(EntropyVal)
 private:
 	RandTest state;
 };
@@ -139,6 +282,7 @@ protected:
 	BloomFilterVal();
 	explicit BloomFilterVal(OpaqueType* t);
 
+	DECLARE_OPAQUE_VALUE(BloomFilterVal)
 private:
 	// Disable.
 	BloomFilterVal(const BloomFilterVal&);
@@ -162,12 +306,12 @@ public:
 	BroType* Type() const;
 	bool Typify(BroType* type);
 
-
 	probabilistic::CardinalityCounter* Get()	{ return c; };
 
 protected:
 	CardinalityVal();
 
+	DECLARE_OPAQUE_VALUE(CardinalityVal)
 private:
 	BroType* type;
 	CompositeHash* hash;
diff --git a/src/Val.cc b/src/Val.cc
index f0c0c031ed..1171375649 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -73,7 +73,11 @@ Val::~Val()
 Val* Val::Clone()
 	{
 	Val::CloneState state;
-	return Clone(&state);
+	auto v = Clone(&state);
+	if ( ! v )
+		reporter->RuntimeError(GetLocationInfo(), "cannot clone value");
+
+	return v;
 	}
 
 Val* Val::Clone(CloneState* state)
@@ -2775,20 +2779,6 @@ void VectorVal::ValDescribe(ODesc* d) const
 	d->Add("]");
 	}
 
-OpaqueVal::OpaqueVal(OpaqueType* t) : Val(t)
-	{
-	}
-
-OpaqueVal::~OpaqueVal()
-	{
-	}
-
-Val* OpaqueVal::DoClone(CloneState* state)
-	{
-	reporter->InternalError("cloning opaque type without clone implementation");
-	return nullptr;
-	}
-
 Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	{
 	if ( ! v )
diff --git a/src/Val.h b/src/Val.h
index 59fef19ac0..265fd07ab6 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -8,6 +8,9 @@
 #include <vector>
 #include <list>
 #include <array>
+#include <unordered_map>
+
+#include <broker/broker.hh>
 
 #include "net_util.h"
 #include "Type.h"
@@ -50,6 +53,7 @@ class ListVal;
 class StringVal;
 class EnumVal;
 class MutableVal;
+class OpaqueVal;
 
 class StateAccess;
 
@@ -304,6 +308,7 @@ public:
 	CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
 	CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
 	CONVERTER(TYPE_ENUM, EnumVal*, AsEnumVal)
+	CONVERTER(TYPE_OPAQUE, OpaqueVal*, AsOpaqueVal)
 
 #define CONST_CONVERTER(tag, ctype, name) \
 	const ctype name() const \
@@ -321,6 +326,7 @@ public:
 	CONST_CONVERTER(TYPE_LIST, ListVal*, AsListVal)
 	CONST_CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
 	CONST_CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
+	CONST_CONVERTER(TYPE_OPAQUE, OpaqueVal*, AsOpaqueVal)
 
 	bool IsMutableVal() const
 		{
@@ -1154,21 +1160,6 @@ protected:
 	VectorType* vector_type;
 };
 
-// Base class for values with types that are managed completely internally,
-// with no further script-level operators provided (other than bif
-// functions). See OpaqueVal.h for derived classes.
-class OpaqueVal : public Val {
-public:
-	explicit OpaqueVal(OpaqueType* t);
-	~OpaqueVal() override;
-
-protected:
-	friend class Val;
-	OpaqueVal() { }
-
-	Val* DoClone(CloneState* state) override;
-};
-
 // Checks the given value for consistency with the given type.  If an
 // exact match, returns it.  If promotable, returns the promoted version,
 // Unref()'ing the original.  If not a match, generates an error message
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 63efd58d44..93986306ec 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -126,11 +126,6 @@ struct val_converter {
 
 			return rval->Ref();
 			}
-		case TYPE_OPAQUE:
-			{
-			// Fixme: Johanna
-			return nullptr;
-			}
 		default:
 			return nullptr;
 		}
@@ -430,6 +425,8 @@ struct val_converter {
 			auto rval = new PatternVal(re);
 			return rval;
 			}
+		else if ( type->Tag() == TYPE_OPAQUE )
+			return OpaqueVal::Unserialize(a);
 
 		return nullptr;
 		}
@@ -504,12 +501,6 @@ struct type_checker {
 
 			return true;
 			}
-		case TYPE_OPAQUE:
-			{
-			// TODO
-			// Fixme: johanna
-			return false;
-			}
 		default:
 			return false;
 		}
@@ -756,6 +747,11 @@ struct type_checker {
 
 			return true;
 			}
+		else if ( type->Tag() == TYPE_OPAQUE )
+			// Correct if successful. TODO: Should avoid do the
+			// full unserialization here, and just check the
+			// type.
+			return OpaqueVal::Unserialize(a);
 
 		return false;
 		}
@@ -970,10 +966,17 @@ broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 		broker::vector rval = {p->PatternText(), p->AnywherePatternText()};
 		return {std::move(rval)};
 		}
-	// Fixme: johanna
-	// case TYPE_OPAQUE:
-	//	{
-	//	}
+	case TYPE_OPAQUE:
+		{
+		auto c = v->AsOpaqueVal()->Serialize();
+		if ( ! c )
+			{
+			reporter->Error("unsupported opaque type for serialization");
+			break;
+			}
+
+		return {c};
+		}
 	default:
 		reporter->Error("unsupported Broker::Data type: %s",
 		                type_name(v->Type()->Tag()));
@@ -1109,6 +1112,115 @@ Val* bro_broker::DataVal::castTo(BroType* t)
 	return data_to_val(data, t);
 	}
 
+IMPLEMENT_OPAQUE_VALUE(bro_broker::DataVal)
+
+broker::data bro_broker::DataVal::DoSerialize() const
+	{
+	return data;
+	}
+
+bool bro_broker::DataVal::DoUnserialize(const broker::data& data_)
+	{
+	data = data_;
+	return true;
+	}
+
+IMPLEMENT_OPAQUE_VALUE(bro_broker::SetIterator)
+
+broker::data bro_broker::SetIterator::DoSerialize() const
+	{
+	return broker::vector{dat, *it};
+	}
+
+bool bro_broker::SetIterator::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto x = caf::get_if<broker::set>(&(*v)[0]);
+
+	// We set the iterator by finding the element it used to point to.
+	// This is not perfect, as there's no guarantee that the restored
+	// container will list the elements in the same order. But it's as
+	// good as we can do, and it should generally work out.
+	if( x->find((*v)[1]) == x->end() )
+		return false;
+
+	dat = *x;
+	it = dat.find((*v)[1]);
+	return true;
+	}
+
+IMPLEMENT_OPAQUE_VALUE(bro_broker::TableIterator)
+
+broker::data bro_broker::TableIterator::DoSerialize() const
+	{
+	return broker::vector{dat, it->first};
+	}
+
+bool bro_broker::TableIterator::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto x = caf::get_if<broker::table>(&(*v)[0]);
+
+	// We set the iterator by finding the element it used to point to.
+	// This is not perfect, as there's no guarantee that the restored
+	// container will list the elements in the same order. But it's as
+	// good as we can do, and it should generally work out.
+	if( x->find((*v)[1]) == x->end() )
+		return false;
+
+	dat = *x;
+	it = dat.find((*v)[1]);
+	return true;
+	}
+
+IMPLEMENT_OPAQUE_VALUE(bro_broker::VectorIterator)
+
+broker::data bro_broker::VectorIterator::DoSerialize() const
+	{
+	return broker::vector{dat, it - dat.begin()};
+	}
+
+bool bro_broker::VectorIterator::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto x = caf::get_if<broker::vector>(&(*v)[0]);
+	auto y = caf::get_if<broker::vector::difference_type>(&(*v)[1]);
+
+	dat = *x;
+	it = dat.begin() + *y;
+	return true;
+	}
+
+IMPLEMENT_OPAQUE_VALUE(bro_broker::RecordIterator)
+
+broker::data bro_broker::RecordIterator::DoSerialize() const
+	{
+	return broker::vector{dat, it - dat.begin()};
+	}
+
+bool bro_broker::RecordIterator::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() == 2) )
+		return false;
+
+	auto x = caf::get_if<broker::vector>(&(*v)[0]);
+	auto y = caf::get_if<broker::vector::difference_type>(&(*v)[1]);
+
+	dat = *x;
+	it = dat.begin() + *y;
+	return true;
+	}
+
 broker::data bro_broker::threading_field_to_data(const threading::Field* f)
 	{
 	auto name = f->name;
diff --git a/src/broker/Data.h b/src/broker/Data.h
index bf7bdd8cad..eda8f6550c 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -2,7 +2,7 @@
 #define BRO_COMM_DATA_H
 
 #include <broker/broker.hh>
-#include "Val.h"
+#include "OpaqueVal.h"
 #include "Reporter.h"
 #include "Frame.h"
 #include "Expr.h"
@@ -126,6 +126,8 @@ protected:
 	DataVal()
 		{}
 
+	DECLARE_OPAQUE_VALUE(bro_broker::DataVal)
+
 	static BroType* script_data_type;
 };
 
@@ -240,6 +242,10 @@ public:
 
 	broker::set dat;
 	broker::set::iterator it;
+
+protected:
+	SetIterator()	{}
+	DECLARE_OPAQUE_VALUE(bro_broker::SetIterator)
 };
 
 class TableIterator : public OpaqueVal {
@@ -253,6 +259,10 @@ public:
 
 	broker::table dat;
 	broker::table::iterator it;
+
+protected:
+	TableIterator()	{}
+	DECLARE_OPAQUE_VALUE(bro_broker::TableIterator)
 };
 
 class VectorIterator : public OpaqueVal {
@@ -266,6 +276,10 @@ public:
 
 	broker::vector dat;
 	broker::vector::iterator it;
+
+protected:
+	VectorIterator()	{}
+	DECLARE_OPAQUE_VALUE(bro_broker::VectorIterator)
 };
 
 class RecordIterator : public OpaqueVal {
@@ -279,6 +293,10 @@ public:
 
 	broker::vector dat;
 	broker::vector::iterator it;
+
+protected:
+	RecordIterator()	{}
+	DECLARE_OPAQUE_VALUE(bro_broker::RecordIterator)
 };
 
 } // namespace bro_broker
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index f4db09f030..7462485bc3 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -49,6 +49,20 @@ void StoreHandleVal::ValDescribe(ODesc* d) const
 	d->Add("}");
 	}
 
+IMPLEMENT_OPAQUE_VALUE(StoreHandleVal)
+
+broker::data StoreHandleVal::DoSerialize() const
+	{
+	// Cannot serialize.
+	return broker::none();
+	}
+
+bool StoreHandleVal::DoUnserialize(const broker::data& data)
+	{
+	// Cannot unserialize.
+	return false;
+	}
+
 broker::backend to_backend_type(BifEnum::Broker::BackendType type)
 	{
 	switch ( type ) {
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 190417d71d..7e5b2bde07 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -5,7 +5,7 @@
 #include "broker/data.bif.h"
 #include "Reporter.h"
 #include "Type.h"
-#include "Val.h"
+#include "OpaqueVal.h"
 #include "Trigger.h"
 
 #include <broker/broker.hh>
@@ -121,6 +121,8 @@ public:
 
 protected:
 	StoreHandleVal() = default;
+
+	DECLARE_OPAQUE_VALUE(StoreHandleVal)
 };
 
 // Helper function to construct a broker backend type from script land.
diff --git a/src/broker/data.bif b/src/broker/data.bif
index 53ce5d506c..b6b7c08f72 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -41,6 +41,20 @@ function Broker::__data_type%(d: Broker::Data%): Broker::DataType
 	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
+# For testing only.
+function Broker::__opaque_clone_through_serialization%(d: any%): any
+	%{
+	auto x = d->AsOpaqueVal()->Serialize();
+
+	if ( ! x )
+		{
+		builtin_error("cannot serialize object to clone");
+        	return val_mgr->GetFalse();
+		}
+	
+	return OpaqueVal::Unserialize(std::move(*x));
+	%}
+
 function Broker::__set_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::set());
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 9512d43260..269126c9d9 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -711,3 +711,31 @@ OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
 	return ocsp_resp;
 	}
 
+IMPLEMENT_OPAQUE_VALUE(OCSP_RESPVal)
+
+broker::data OCSP_RESPVal::DoSerialize() const
+	{
+        unsigned char *buf = NULL;
+        int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
+        if ( length < 0 )
+                return broker::none();
+
+	auto d = std::string(reinterpret_cast<const char*>(buf), length);
+        OPENSSL_free(buf);
+
+	return d;
+	}
+
+bool OCSP_RESPVal::DoUnserialize(const broker::data& data)
+	{
+	if ( caf::get_if<broker::none>(&data) )
+		return false;
+
+	auto s = caf::get_if<std::string>(&data);
+	if ( ! s )
+		return false;
+
+	auto opensslbuf = reinterpret_cast<const unsigned char*>(s->data());
+        ocsp_resp = d2i_OCSP_RESPONSE(NULL, &opensslbuf, s->size());
+	return (ocsp_resp != nullptr);
+	}
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index 9bb7b5712f..4f706b8f64 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -5,7 +5,7 @@
 
 #include <string>
 
-#include "Val.h"
+#include "OpaqueVal.h"
 #include "../File.h"
 #include "Analyzer.h"
 #include "X509Common.h"
@@ -44,6 +44,8 @@ public:
 	OCSP_RESPONSE *GetResp() const;
 protected:
 	OCSP_RESPVal();
+
+	DECLARE_OPAQUE_VALUE(OCSP_RESPVal)
 private:
 	OCSP_RESPONSE *ocsp_resp;
 };
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index a06b4681f5..bd6d796a6b 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -489,3 +489,32 @@ Val* X509Val::DoClone(CloneState* state)
 	return certificate;
 	}
 
+IMPLEMENT_OPAQUE_VALUE(X509Val)
+
+broker::data X509Val::DoSerialize() const
+	{
+        unsigned char *buf = NULL;
+        int length = i2d_X509(certificate, &buf);
+
+        if ( length < 0 )
+                return broker::none();
+
+	auto d = std::string(reinterpret_cast<const char*>(buf), length);
+        OPENSSL_free(buf);
+
+	return d;
+	}
+
+bool X509Val::DoUnserialize(const broker::data& data)
+	{
+	if ( caf::get_if<broker::none>(&data) )
+		return false;
+
+	auto s = caf::get_if<std::string>(&data);
+	if ( ! s )
+		return false;
+
+	auto opensslbuf = reinterpret_cast<const unsigned char*>(s->data());
+        certificate = d2i_X509(NULL, &opensslbuf, s->size());
+	return (certificate != nullptr);
+	}
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index b8a4e8d6e5..f20712cab2 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -5,7 +5,7 @@
 
 #include <string>
 
-#include "Val.h"
+#include "OpaqueVal.h"
 #include "X509Common.h"
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) || defined(LIBRESSL_VERSION_NUMBER)
@@ -151,6 +151,7 @@ protected:
 	 */
 	X509Val();
 
+	DECLARE_OPAQUE_VALUE(X509Val)
 private:
 	::X509* certificate; // the wrapped certificate
 };
diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc
index 6e09c370a4..a7d6bf4f11 100644
--- a/src/probabilistic/BitVector.cc
+++ b/src/probabilistic/BitVector.cc
@@ -505,6 +505,47 @@ uint64 BitVector::Hash() const
 	return digest;
 	}
 
+broker::expected<broker::data> BitVector::Serialize() const
+	{
+	broker::vector v = {static_cast<uint64>(num_bits), static_cast<uint64>(bits.size())};
+	v.reserve(2 + bits.size());
+
+        for ( size_t i = 0; i < bits.size(); ++i )
+		v.emplace_back(static_cast<uint64>(bits[i]));
+
+        return {v};
+	}
+
+std::unique_ptr<BitVector> BitVector::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() >= 2) )
+		return nullptr;
+
+	auto num_bits = caf::get_if<uint64>(&(*v)[0]);
+	auto size = caf::get_if<uint64>(&(*v)[1]);
+
+	if ( ! (num_bits && size) )
+		return nullptr;
+
+	if ( v->size() != 2 + *size )
+		return nullptr;
+
+	auto bv = std::unique_ptr<BitVector>(new BitVector());
+	bv->num_bits = *num_bits;
+
+        for ( size_t i = 0; i < *size; ++i )
+		{
+		auto x = caf::get_if<uint64>(&(*v)[2 + i]);
+		if ( ! x )
+			return nullptr;
+
+		bv->bits.push_back(*x);
+		}
+
+	return std::move(bv);
+	}
+
 BitVector::size_type BitVector::lowest_bit(block_type block)
 	{
 	block_type x = block - (block & (block - 1));
diff --git a/src/probabilistic/BitVector.h b/src/probabilistic/BitVector.h
index a87b27e55b..12d628cacf 100644
--- a/src/probabilistic/BitVector.h
+++ b/src/probabilistic/BitVector.h
@@ -6,6 +6,8 @@
 #include <iterator>
 #include <vector>
 
+#include <broker/Data.h>
+
 namespace probabilistic {
 
 /**
@@ -281,6 +283,9 @@ public:
 	  */
 	uint64_t Hash() const;
 
+	broker::expected<broker::data> Serialize() const;
+	static std::unique_ptr<BitVector> Unserialize(const broker::data& data);
+
 private:
 	/**
 	 * Computes the number of excess/unused bits in the bit vector.
diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc
index e12de2f049..2148fac556 100644
--- a/src/probabilistic/BloomFilter.cc
+++ b/src/probabilistic/BloomFilter.cc
@@ -28,6 +28,51 @@ BloomFilter::~BloomFilter()
 	delete hasher;
 	}
 
+broker::expected<broker::data> BloomFilter::Serialize() const
+	{
+	auto h = hasher->Serialize();
+	auto d = DoSerialize();
+
+	if ( (! h) || d == broker::none() )
+		return broker::ec::invalid_data; // Cannot serialize
+
+	return broker::vector{static_cast<uint64>(Type()), std::move(*h), std::move(d)};
+	}
+
+std::unique_ptr<BloomFilter> BloomFilter::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() == 3) )
+		return nullptr;
+
+	auto type = caf::get_if<uint64>(&(*v)[0]);
+	if ( ! type )
+		return nullptr;
+
+	auto hasher_ = Hasher::Unserialize((*v)[1]);
+	if ( ! hasher_ )
+		return nullptr;
+
+	std::unique_ptr<BloomFilter> bf;
+
+	switch ( *type ) {
+	case Basic:
+		bf = std::unique_ptr<BloomFilter>(new BasicBloomFilter());
+		break;
+
+	case Counting:
+		bf = std::unique_ptr<BloomFilter>(new CountingBloomFilter());
+		break;
+	}
+
+	if ( ! bf->DoUnserialize((*v)[2]) )
+		return nullptr;
+
+	bf->hasher = hasher_.release();
+	return std::move(bf);
+	}
+
 size_t BasicBloomFilter::M(double fp, size_t capacity)
 	{
 	double ln2 = std::log(2);
@@ -126,6 +171,25 @@ size_t BasicBloomFilter::Count(const HashKey* key) const
 	return 1;
 	}
 
+broker::data BasicBloomFilter::DoSerialize() const
+	{
+	auto b = bits->Serialize();
+	if ( ! b )
+		return broker::none();
+
+	return *b;
+	}
+
+bool BasicBloomFilter::DoUnserialize(const broker::data& data)
+	{
+	auto b = BitVector::Unserialize(data);
+	if ( ! b )
+		return false;
+
+	bits = b.release();
+	return true;
+	}
+
 CountingBloomFilter::CountingBloomFilter()
 	{
 	cells = 0;
@@ -217,3 +281,22 @@ size_t CountingBloomFilter::Count(const HashKey* key) const
 
 	return min;
 	}
+
+broker::data CountingBloomFilter::DoSerialize() const
+	{
+	auto c = cells->Serialize();
+	if ( ! c )
+		return broker::none();
+
+	return *c;
+	}
+
+bool CountingBloomFilter::DoUnserialize(const broker::data& data)
+	{
+	auto c = CounterVector::Unserialize(data);
+	if ( ! c )
+		return false;
+
+	cells = c.release();
+	return true;
+	}
diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h
index 03acfd17d6..556ffd4bc0 100644
--- a/src/probabilistic/BloomFilter.h
+++ b/src/probabilistic/BloomFilter.h
@@ -4,6 +4,9 @@
 #define PROBABILISTIC_BLOOMFILTER_H
 
 #include <vector>
+
+#include <broker/Data.h>
+
 #include "BitVector.h"
 #include "Hasher.h"
 
@@ -11,6 +14,9 @@ namespace probabilistic {
 
 class CounterVector;
 
+/** Types of derived BloomFilter classes. */
+enum BloomFilterType { Basic, Counting };
+
 /**
  * The abstract base class for Bloom filters.
  */
@@ -71,6 +77,9 @@ public:
 	 */
 	virtual string InternalState() const = 0;
 
+	broker::expected<broker::data> Serialize() const;
+	static std::unique_ptr<BloomFilter> Unserialize(const broker::data& data);
+
 protected:
 	/**
 	 * Default constructor.
@@ -84,6 +93,10 @@ protected:
 	 */
 	explicit BloomFilter(const Hasher* hasher);
 
+	virtual broker::data DoSerialize() const = 0;
+	virtual bool DoUnserialize(const broker::data& data) = 0;
+	virtual BloomFilterType Type() const = 0;
+
 	const Hasher* hasher;
 };
 
@@ -144,6 +157,8 @@ public:
 	string InternalState() const override;
 
 protected:
+	friend class BloomFilter;
+
 	/**
 	 * Default constructor.
 	 */
@@ -152,6 +167,10 @@ protected:
 	// Overridden from BloomFilter.
 	void Add(const HashKey* key) override;
 	size_t Count(const HashKey* key) const override;
+	broker::data DoSerialize() const override;
+	bool DoUnserialize(const broker::data& data) override;
+	BloomFilterType Type() const override
+		{ return BloomFilterType::Basic; }
 
 private:
 	BitVector* bits;
@@ -187,6 +206,8 @@ public:
 	string InternalState() const override;
 
 protected:
+	friend class BloomFilter;
+
 	/**
 	 * Default constructor.
 	 */
@@ -195,6 +216,10 @@ protected:
 	// Overridden from BloomFilter.
 	void Add(const HashKey* key) override;
 	size_t Count(const HashKey* key) const override;
+	broker::data DoSerialize() const override;
+	bool DoUnserialize(const broker::data& data) override;
+	BloomFilterType Type() const override
+		{ return BloomFilterType::Counting; }
 
 private:
 	CounterVector* cells;
diff --git a/src/probabilistic/CardinalityCounter.cc b/src/probabilistic/CardinalityCounter.cc
index 17caec3e0e..bcb9579ec2 100644
--- a/src/probabilistic/CardinalityCounter.cc
+++ b/src/probabilistic/CardinalityCounter.cc
@@ -196,6 +196,47 @@ uint64_t CardinalityCounter::GetM() const
 	return m;
 	}
 
+broker::expected<broker::data> CardinalityCounter::Serialize() const
+	{
+	broker::vector v = {m, V, alpha_m};
+	v.reserve(3 + m);
+
+        for ( size_t i = 0; i < m; ++i )
+		v.emplace_back(static_cast<uint64>(buckets[i]));
+
+        return {v};
+	}
+
+std::unique_ptr<CardinalityCounter> CardinalityCounter::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() >= 3) )
+		return nullptr;
+
+	auto m = caf::get_if<uint64>(&(*v)[0]);
+	auto V = caf::get_if<uint64>(&(*v)[1]);
+	auto alpha_m = caf::get_if<double>(&(*v)[2]);
+
+	if ( ! (m && V && alpha_m) )
+		return nullptr;
+
+	if ( v->size() != 3 + *m )
+		return nullptr;
+
+	auto cc = std::unique_ptr<CardinalityCounter>(new CardinalityCounter(*m, *V, *alpha_m));
+
+        for ( size_t i = 0; i < *m; ++i )
+		{
+		auto x = caf::get_if<uint64>(&(*v)[3 + i]);
+		if ( ! x )
+			return nullptr;
+
+		cc->buckets.push_back(*x);
+		}
+
+	return std::move(cc);
+	}
+
 /**
  * The following function is copied from libc/string/flsll.c from the FreeBSD source
  * tree. Original copyright message follows
diff --git a/src/probabilistic/CardinalityCounter.h b/src/probabilistic/CardinalityCounter.h
index 7d898b3c47..a2d69d0809 100644
--- a/src/probabilistic/CardinalityCounter.h
+++ b/src/probabilistic/CardinalityCounter.h
@@ -84,6 +84,9 @@ public:
 	 */
 	bool Merge(CardinalityCounter* c);
 
+	broker::expected<broker::data> Serialize() const;
+	static std::unique_ptr<CardinalityCounter> Unserialize(const broker::data& data);
+
 protected:
 	/**
 	 * Return the number of buckets.
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index e234d5c9d9..ec307f33f2 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -158,3 +158,29 @@ uint64_t CounterVector::Hash() const
 	return bits->Hash();
 	}
 
+broker::expected<broker::data> CounterVector::Serialize() const
+	{
+	auto b = bits->Serialize();
+	if ( ! b )
+		return broker::ec::invalid_data; // Cannot serialize
+
+	return broker::vector{static_cast<uint64>(width), std::move(*b)};
+	}
+
+std::unique_ptr<CounterVector> CounterVector::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+	if ( ! (v && v->size() >= 2) )
+		return nullptr;
+
+	auto width = caf::get_if<uint64>(&(*v)[0]);
+	auto bits = BitVector::Unserialize((*v)[1]);
+
+	auto cv = std::unique_ptr<CounterVector>(new CounterVector());
+	cv->width = *width;
+	cv->bits = bits.release();
+	return std::move(cv);
+	}
+
+
+
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index 04394ebca2..41674efd11 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -6,6 +6,8 @@
 #include <cstddef>
 #include <cstdint>
 
+#include <broker/Data.h>
+
 namespace probabilistic {
 
 class BitVector;
@@ -134,6 +136,9 @@ public:
 	  */
 	uint64_t Hash() const;
 
+	broker::expected<broker::data> Serialize() const;
+	static std::unique_ptr<CounterVector> Unserialize(const broker::data& data);
+
 protected:
 	friend CounterVector operator|(const CounterVector& x,
 				       const CounterVector& y);
diff --git a/src/probabilistic/Hasher.cc b/src/probabilistic/Hasher.cc
index 8508cd01ad..ffa60dacfd 100644
--- a/src/probabilistic/Hasher.cc
+++ b/src/probabilistic/Hasher.cc
@@ -46,6 +46,47 @@ Hasher::Hasher(size_t arg_k, seed_t arg_seed)
 	seed = arg_seed;
 	}
 
+broker::expected<broker::data> Hasher::Serialize() const
+	{
+	return broker::vector{
+		static_cast<uint64>(Type()), static_cast<uint64>(k),
+		seed.h1, seed.h2 };
+	}
+
+std::unique_ptr<Hasher> Hasher::Unserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() == 4) )
+		return nullptr;
+
+	auto type = caf::get_if<uint64>(&(*v)[0]);
+	auto k = caf::get_if<uint64>(&(*v)[1]);
+	auto h1 = caf::get_if<uint64>(&(*v)[2]);
+	auto h2 = caf::get_if<uint64>(&(*v)[3]);
+
+	if ( ! (type && k && h1 && h2) )
+		return nullptr;
+
+	std::unique_ptr<Hasher> hasher;
+
+	switch ( *type ) {
+	case Default:
+		hasher = std::unique_ptr<Hasher>(new DefaultHasher(*k, {*h1, *h2}));
+		break;
+
+	case Double:
+		hasher = std::unique_ptr<Hasher>(new DoubleHasher(*k, {*h1, *h2}));
+		break;
+	}
+
+	// Note that the derived classed don't hold any further state of
+	// their own. They reconstruct all their information from their
+	// constructors' arguments.
+
+	return std::move(hasher);
+	}
+
 UHF::UHF()
 	{
 	memset(&seed, 0, sizeof(seed));
diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h
index baceb45fff..3218ec4d7a 100644
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@@ -3,10 +3,15 @@
 #ifndef PROBABILISTIC_HASHER_H
 #define PROBABILISTIC_HASHER_H
 
+#include <broker/Data.h>
+
 #include "Hash.h"
 
 namespace probabilistic {
 
+/** Types of derived Hasher classes. */
+enum HasherType { Default, Double };
+
 /**
  * Abstract base class for hashers. A hasher creates a family of hash
  * functions to hash an element *k* times.
@@ -98,6 +103,9 @@ public:
 	 */
 	seed_t Seed() const	{ return seed; }
 
+	broker::expected<broker::data> Serialize() const;
+	static std::unique_ptr<Hasher> Unserialize(const broker::data& data);
+
 protected:
 	Hasher() { }
 
@@ -110,6 +118,8 @@ protected:
 	 */
 	Hasher(size_t arg_k, seed_t arg_seed);
 
+	virtual HasherType Type() const = 0;
+
 private:
 	size_t k;
 	seed_t seed;
@@ -175,6 +185,9 @@ public:
 		return ! (x == y);
 		}
 
+	broker::expected<broker::data> Serialize() const;
+	static UHF Unserialize(const broker::data& data);
+
 private:
 	static size_t compute_seed(Hasher::seed_t seed);
 
@@ -205,6 +218,9 @@ public:
 private:
 	DefaultHasher() { }
 
+	HasherType Type() const override
+		{ return HasherType::Default; }
+
 	std::vector<UHF> hash_functions;
 };
 
@@ -231,6 +247,9 @@ public:
 private:
 	DoubleHasher() { }
 
+	HasherType Type() const override
+		{ return HasherType::Double; }
+
 	UHF h1;
 	UHF h2;
 };
diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc
index 42a2401a2f..b612e1a8a4 100644
--- a/src/probabilistic/Topk.cc
+++ b/src/probabilistic/Topk.cc
@@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "broker/Data.h"
 #include "probabilistic/Topk.h"
 #include "CompHash.h"
 #include "Reporter.h"
@@ -405,4 +406,126 @@ void TopkVal::IncrementCounter(Element* e, unsigned int count)
 		}
 	}
 
-};
+IMPLEMENT_OPAQUE_VALUE(TopkVal)
+
+broker::data TopkVal::DoSerialize() const
+	{
+	broker::vector d = {size, numElements, pruned};
+
+	if ( type )
+		{
+		auto t = SerializeType(type);
+		if ( t == broker::none() )
+			return broker::none();
+
+		d.emplace_back(t);
+		}
+	else
+		d.emplace_back(broker::none());
+
+	uint64_t i = 0;
+	std::list<Bucket*>::const_iterator it = buckets.begin();
+	while ( it != buckets.end() )
+		{
+		Bucket* b = *it;
+		uint32_t elements_count = b->elements.size();
+
+		d.emplace_back(static_cast<uint64>(b->elements.size()));
+		d.emplace_back(b->count);
+
+		std::list<Element*>::const_iterator eit = b->elements.begin();
+		while ( eit != b->elements.end() )
+			{
+			Element* element = *eit;
+			d.emplace_back(element->epsilon);
+			auto v = bro_broker::val_to_data(element->value);
+			if ( ! v )
+				return broker::none();
+
+			d.emplace_back(*v);
+
+			eit++;
+			i++;
+			}
+
+		it++;
+		}
+
+	assert(i == numElements);
+	return d;
+	}
+
+
+bool TopkVal::DoUnserialize(const broker::data& data)
+	{
+	auto v = caf::get_if<broker::vector>(&data);
+
+	if ( ! (v && v->size() >= 4) )
+		return false;
+
+	auto size_ = caf::get_if<uint64>(&(*v)[0]);
+	auto numElements_ = caf::get_if<uint64>(&(*v)[1]);
+	auto pruned_ = caf::get_if<bool>(&(*v)[2]);
+
+	if ( ! (size_ && numElements_ && pruned_) )
+		return false;
+
+	size = *size_;
+	numElements = *numElements_;
+	pruned = *pruned_;
+
+	auto no_type = caf::get_if<broker::none>(&(*v)[3]);
+	if ( ! no_type )
+		{
+		BroType* t = UnserializeType((*v)[3]);
+                if ( ! t )
+			return false;
+
+		Typify(t);
+		Unref(t);
+		}
+
+	uint64_t i = 0;
+	uint64_t idx = 4;
+
+	while ( i < numElements )
+		{
+		Bucket* b = new Bucket();
+		auto elements_count = caf::get_if<uint64>(&(*v)[idx++]);
+		auto count = caf::get_if<uint64>(&(*v)[idx++]);
+
+		if ( ! (elements_count && count) )
+			return false;
+
+		b->count = *count;
+		b->bucketPos = buckets.insert(buckets.end(), b);
+
+		for ( uint64_t j = 0; j < *elements_count; j++ )
+			{
+			Element* e = new Element();
+			auto epsilon = caf::get_if<uint64>(&(*v)[idx++]);
+			Val* val = bro_broker::data_to_val((*v)[idx++], type);
+
+			if ( ! (epsilon && val) )
+				return false;
+
+			e->epsilon = *epsilon;
+			e->value = val;
+			e->parent = b;
+
+			b->elements.insert(b->elements.end(), e);
+
+			HashKey* key = GetHash(e->value);
+			assert (elementDict->Lookup(key) == 0);
+
+			elementDict->Insert(key, e);
+			delete key;
+
+			i++;
+			}
+		}
+
+	assert(i == numElements);
+	return true;
+	}
+}
diff --git a/src/probabilistic/Topk.h b/src/probabilistic/Topk.h
index 52f8a39034..24d05e12af 100644
--- a/src/probabilistic/Topk.h
+++ b/src/probabilistic/Topk.h
@@ -131,6 +131,8 @@ public:
 	 */
 	Val* DoClone(CloneState* state) override;
 
+	DECLARE_OPAQUE_VALUE(TopkVal)
+
 protected:
 	/**
 	 * Construct an empty TopkVal. Only used for deserialization
diff --git a/testing/btest/Baseline/broker.opaque/.stderr b/testing/btest/Baseline/broker.opaque/.stderr
new file mode 100644
index 0000000000..bf07a71a21
--- /dev/null
+++ b/testing/btest/Baseline/broker.opaque/.stderr
@@ -0,0 +1 @@
+error: incompatible Bloom filter types
diff --git a/testing/btest/Baseline/broker.opaque/out b/testing/btest/Baseline/broker.opaque/out
new file mode 100644
index 0000000000..f35f4e3284
--- /dev/null
+++ b/testing/btest/Baseline/broker.opaque/out
@@ -0,0 +1,53 @@
+============ Topk
+[b, a, c]
+[b, a, c]
+============ HLL
+3.000069
+3.000069
+============ Bloom
+0
+1
+0
+1
+============ Hashes
+5b9164ad6f496d9dee12ec7634ce253f
+5b9164ad6f496d9dee12ec7634ce253f
+30ae97492ce1da88d0e7117ace0a60a6f9e1e0bc
+30ae97492ce1da88d0e7117ace0a60a6f9e1e0bc
+25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
+25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
+============ X509
+[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
+[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
+============ OCSP_RESPVal
+============ Entropy
+[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
+[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
+============ broker::Data
+broker::data{{hi, there}}
+broker::data{{hi, there}}
+T
+============ broker::Set
+| [data=broker::data{!}] | [data=broker::data{!}]
+  > [data=broker::data{hi}] | [data=broker::data{hi}]
+| [data=broker::data{hi}] | [data=broker::data{hi}]
+  > [data=broker::data{there}] | [data=broker::data{there}]
+| [data=broker::data{there}] | [data=broker::data{there}]
+============ broker::Table
+| [key=[data=broker::data{!}], val=[data=broker::data{30}]] | [key=[data=broker::data{!}], val=[data=broker::data{30}]]
+  > [key=[data=broker::data{hi}], val=[data=broker::data{10}]] | [key=[data=broker::data{hi}], val=[data=broker::data{10}]]
+| [key=[data=broker::data{hi}], val=[data=broker::data{10}]] | [key=[data=broker::data{hi}], val=[data=broker::data{10}]]
+  > [key=[data=broker::data{there}], val=[data=broker::data{20}]] | [key=[data=broker::data{there}], val=[data=broker::data{20}]]
+| [key=[data=broker::data{there}], val=[data=broker::data{20}]] | [key=[data=broker::data{there}], val=[data=broker::data{20}]]
+============ broker::Vector
+| [data=broker::data{hi}] | [data=broker::data{hi}]
+  > [data=broker::data{there}] | [data=broker::data{there}]
+| [data=broker::data{there}] | [data=broker::data{there}]
+  > [data=broker::data{!}] | [data=broker::data{!}]
+| [data=broker::data{!}] | [data=broker::data{!}]
+============ broker::Record
+| [data=broker::data{hi}] | [data=broker::data{hi}]
+  > [data=broker::data{there}] | [data=broker::data{there}]
+| [data=broker::data{there}] | [data=broker::data{there}]
+  > [data=broker::data{!}] | [data=broker::data{!}]
+| [data=broker::data{!}] | [data=broker::data{!}]
diff --git a/testing/btest/broker/opaque.zeek b/testing/btest/broker/opaque.zeek
new file mode 100644
index 0000000000..f65fc191dd
--- /dev/null
+++ b/testing/btest/broker/opaque.zeek
@@ -0,0 +1,161 @@
+# @TEST-EXEC: zeek -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff .stderr
+
+event zeek_init()
+	{
+	print "============ Topk";
+	local k1: opaque of topk = topk_init(4);
+	topk_add(k1, "a");
+	topk_add(k1, "b");
+	topk_add(k1, "b");
+	topk_add(k1, "c");
+	local k2 = Broker::__opaque_clone_through_serialization(k1);
+	print topk_get_top(k1, 5);
+	topk_add(k1, "shoulnotshowup");
+	print topk_get_top(k2, 5);
+
+	print "============ HLL";
+	local c1 = hll_cardinality_init(0.01, 0.95);
+	hll_cardinality_add(c1, 2001);
+	hll_cardinality_add(c1, 2002);
+	hll_cardinality_add(c1, 2003);
+
+	print hll_cardinality_estimate(c1);
+	local c2 = Broker::__opaque_clone_through_serialization(c1);
+	hll_cardinality_add(c1, 2004);
+	print hll_cardinality_estimate(c2);
+
+	print "============ Bloom";
+	local bf_cnt = bloomfilter_basic_init(0.1, 1000);
+	bloomfilter_add(bf_cnt, 42);
+	bloomfilter_add(bf_cnt, 84);
+	bloomfilter_add(bf_cnt, 168);
+	print bloomfilter_lookup(bf_cnt, 0);
+	print bloomfilter_lookup(bf_cnt, 42);
+	local bf_copy = Broker::__opaque_clone_through_serialization(bf_cnt);
+	bloomfilter_add(bf_cnt, 0);
+	print bloomfilter_lookup(bf_copy, 0);
+	print bloomfilter_lookup(bf_copy, 42);
+	# check that typefication transfered.
+	bloomfilter_add(bf_copy, 0.5); # causes stderr output "error: incompatible Bloom filter types"
+
+	print "============ Hashes";
+	local md5a = md5_hash_init();
+	md5_hash_update(md5a, "one");
+	local md5b = Broker::__opaque_clone_through_serialization(md5a);
+	md5_hash_update(md5a, "two");
+	md5_hash_update(md5b, "two");
+	print md5_hash_finish(md5a);
+	print md5_hash_finish(md5b);
+
+	local sha1a = sha1_hash_init();
+	sha1_hash_update(sha1a, "one");
+	local sha1b = Broker::__opaque_clone_through_serialization(sha1a);
+	sha1_hash_update(sha1a, "two");
+	sha1_hash_update(sha1b, "two");
+	print sha1_hash_finish(sha1a);
+	print sha1_hash_finish(sha1b);
+
+	local sha256a = sha256_hash_init();
+	sha256_hash_update(sha256a, "one");
+	local sha256b = Broker::__opaque_clone_through_serialization(sha256a);
+	sha256_hash_update(sha256a, "two");
+	sha256_hash_update(sha256b, "two");
+	print sha256_hash_finish(sha256a);
+	print sha256_hash_finish(sha256b);
+
+	print "============ X509";
+	local x509 = x509_from_der("\x30\x82\x03\x75\x30\x82\x02\x5D\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x15\x4B\x5A\xC3\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x39\x38\x30\x39\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x31\x32\x38\x31\x32\x30\x30\x30\x30\x5A\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\x0E\xE6\x99\x8D\xCE\xA3\xE3\x4F\x8A\x7E\xFB\xF1\x8B\x83\x25\x6B\xEA\x48\x1F\xF1\x2A\xB0\xB9\x95\x11\x04\xBD\xF0\x63\xD1\xE2\x67\x66\xCF\x1C\xDD\xCF\x1B\x48\x2B\xEE\x8D\x89\x8E\x9A\xAF\x29\x80\x65\xAB\xE9\xC7\x2D\x12\xCB\xAB\x1C\x4C\x70\x07\xA1\x3D\x0A\x30\xCD\x15\x8D\x4F\xF8\xDD\xD4\x8C\x50\x15\x1C\xEF\x50\xEE\xC4\x2E\xF7\xFC\xE9\x52\xF2\x91\x7D\xE0\x6D\xD5\x35\x30\x8E\x5E\x43\x73\xF2\x41\xE9\xD5\x6A\xE3\xB2\x89\x3A\x56\x39\x38\x6F\x06\x3C\x88\x69\x5B\x2A\x4D\xC5\xA7\x54\xB8\x6C\x89\xCC\x9B\xF9\x3C\xCA\xE5\xFD\x89\xF5\x12\x3C\x92\x78\x96\xD6\xDC\x74\x6E\x93\x44\x61\xD1\x8D\xC7\x46\xB2\x75\x0E\x86\xE8\x19\x8A\xD5\x6D\x6C\xD5\x78\x16\x95\xA2\xE9\xC8\x0A\x38\xEB\xF2\x24\x13\x4F\x73\x54\x93\x13\x85\x3A\x1B\xBC\x1E\x34\xB5\x8B\x05\x8C\xB9\x77\x8B\xB1\xDB\x1F\x20\x91\xAB\x09\x53\x6E\x90\xCE\x7B\x37\x74\xB9\x70\x47\x91\x22\x51\x63\x16\x79\xAE\xB1\xAE\x41\x26\x08\xC8\x19\x2B\xD1\x46\xAA\x48\xD6\x64\x2A\xD7\x83\x34\xFF\x2C\x2A\xC1\x6C\x19\x43\x4A\x07\x85\xE7\xD3\x7C\xF6\x21\x68\xEF\xEA\xF2\x52\x9F\x7F\x93\x90\xCF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x60\x7B\x66\x1A\x45\x0D\x97\xCA\x89\x50\x2F\x7D\x04\xCD\x34\xA8\xFF\xFC\xFD\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD6\x73\xE7\x7C\x4F\x76\xD0\x8D\xBF\xEC\xBA\xA2\xBE\x34\xC5\x28\x32\xB5\x7C\xFC\x6C\x9C\x2C\x2B\xBD\x09\x9E\x53\xBF\x6B\x5E\xAA\x11\x48\xB6\xE5\x08\xA3\xB3\xCA\x3D\x61\x4D\xD3\x46\x09\xB3\x3E\xC3\xA0\xE3\x63\x55\x1B\xF2\xBA\xEF\xAD\x39\xE1\x43\xB9\x38\xA3\xE6\x2F\x8A\x26\x3B\xEF\xA0\x50\x56\xF9\xC6\x0A\xFD\x38\xCD\xC4\x0B\x70\x51\x94\x97\x98\x04\xDF\xC3\x5F\x94\xD5\x15\xC9\x14\x41\x9C\xC4\x5D\x75\x64\x15\x0D\xFF\x55\x30\xEC\x86\x8F\xFF\x0D\xEF\x2C\xB9\x63\x46\xF6\xAA\xFC\xDF\xBC\x69\xFD\x2E\x12\x48\x64\x9A\xE0\x95\xF0\xA6\xEF\x29\x8F\x01\xB1\x15\xB5\x0C\x1D\xA5\xFE\x69\x2C\x69\x24\x78\x1E\xB3\xA7\x1C\x71\x62\xEE\xCA\xC8\x97\xAC\x17\x5D\x8A\xC2\xF8\x47\x86\x6E\x2A\xC4\x56\x31\x95\xD0\x67\x89\x85\x2B\xF9\x6C\xA6\x5D\x46\x9D\x0C\xAA\x82\xE4\x99\x51\xDD\x70\xB7\xDB\x56\x3D\x61\xE4\x6A\xE1\x5C\xD6\xF6\xFE\x3D\xDE\x41\xCC\x07\xAE\x63\x52\xBF\x53\x53\xF4\x2B\xE9\xC7\xFD\xB6\xF7\x82\x5F\x85\xD2\x41\x18\xDB\x81\xB3\x04\x1C\xC5\x1F\xA4\x80\x6F\x15\x20\xC9\xDE\x0C\x88\x0A\x1D\xD6\x66\x55\xE2\xFC\x48\xC9\x29\x26\x69\xE0");
+	local x5092 = Broker::__opaque_clone_through_serialization(x509);
+	print x509_parse(x509);
+	print x509_parse(x5092);
+
+	print "============ OCSP_RESPVal";
+	# TODO: Not sure how to test?
+
+	print "============ Entropy";
+	local handle = entropy_test_init();
+	entropy_test_add(handle, "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f");
+	local handle2 = Broker::__opaque_clone_through_serialization(handle);
+	print entropy_test_finish(handle);
+	print entropy_test_finish(handle2);
+
+	print "============ broker::Data";
+	local s1: Broker::Data = Broker::set_create();
+	Broker::set_insert(s1, "hi");
+	Broker::set_insert(s1, "there");
+	local d2 = Broker::__opaque_clone_through_serialization(s1$data);
+	print s1$data;
+	print d2;
+	print same_object(s1$data, d2) == F;
+
+	print "============ broker::Set";
+	local cs = Broker::set_create();
+	Broker::set_insert(cs, "hi");
+	Broker::set_insert(cs, "there");
+	Broker::set_insert(cs, "!");
+
+	local i = Broker::set_iterator(cs);
+	while ( ! Broker::set_iterator_last(i) )
+		{
+		local ci = Broker::__opaque_clone_through_serialization(i);
+		print fmt("| %s | %s", Broker::set_iterator_value(i), Broker::set_iterator_value(ci));
+		Broker::set_iterator_next(i);
+		Broker::set_iterator_next(ci);
+		if ( ! Broker::set_iterator_last(i) )
+			print fmt("  > %s | %s", Broker::set_iterator_value(i), Broker::set_iterator_value(ci));
+		}
+
+	print "============ broker::Table";
+	local ct = Broker::table_create();
+	Broker::table_insert(ct, "hi", 10);
+	Broker::table_insert(ct, "there", 20);
+	Broker::table_insert(ct, "!", 30);
+
+	local j = Broker::table_iterator(ct);
+	while ( ! Broker::table_iterator_last(j) )
+		{
+		local cj = Broker::__opaque_clone_through_serialization(j);
+		print fmt("| %s | %s", Broker::table_iterator_value(j), Broker::table_iterator_value(cj));
+		Broker::table_iterator_next(j);
+		Broker::table_iterator_next(cj);
+		if ( ! Broker::table_iterator_last(j) )
+			print fmt("  > %s | %s", Broker::table_iterator_value(j), Broker::table_iterator_value(cj));
+		}
+
+	print "============ broker::Vector";
+	local cv = Broker::vector_create();
+	Broker::vector_insert(cv, 0, "hi");
+	Broker::vector_insert(cv, 1, "there");
+	Broker::vector_insert(cv, 2, "!");
+
+	local k = Broker::vector_iterator(cv);
+	while ( ! Broker::vector_iterator_last(k) )
+		{
+		local ck = Broker::__opaque_clone_through_serialization(k);
+		print fmt("| %s | %s", Broker::vector_iterator_value(k), Broker::vector_iterator_value(ck));
+		Broker::vector_iterator_next(k);
+		Broker::vector_iterator_next(ck);
+		if ( ! Broker::vector_iterator_last(k) )
+			print fmt("  > %s | %s", Broker::vector_iterator_value(k), Broker::vector_iterator_value(ck));
+		}
+
+	print "============ broker::Record";
+	local cr = Broker::record_create(3);
+	Broker::record_assign(cr, 0, "hi");
+	Broker::record_assign(cr, 1, "there");
+	Broker::record_assign(cr, 2, "!");
+
+	local l = Broker::record_iterator(cr);
+	while ( ! Broker::record_iterator_last(l) )
+		{
+		local cl = Broker::__opaque_clone_through_serialization(l);
+		print fmt("| %s | %s", Broker::record_iterator_value(l), Broker::record_iterator_value(cl));
+		Broker::record_iterator_next(l);
+		Broker::record_iterator_next(cl);
+		if ( ! Broker::record_iterator_last(l) )
+			print fmt("  > %s | %s", Broker::record_iterator_value(l), Broker::record_iterator_value(cl));
+		}
+
+	}

From 618f0802f4f3fee1553be5befe49ac3f77d6db12 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 17 Jun 2019 14:48:02 -0700
Subject: [PATCH 72/91] Smaller compile fixes for the new opaque serialization.

Also remove the non-existing clone function for EntrypyVals - which now
can just use serialization :)
---
 src/OpaqueVal.cc                        | 14 ++++----------
 src/OpaqueVal.h                         | 16 ++++++----------
 src/broker/Data.cc                      | 10 ++++++----
 src/probabilistic/BitVector.cc          |  2 +-
 src/probabilistic/BloomFilter.cc        |  2 +-
 src/probabilistic/CardinalityCounter.cc |  2 +-
 src/probabilistic/CounterVector.cc      |  2 +-
 src/probabilistic/Hasher.cc             |  2 +-
 8 files changed, 21 insertions(+), 29 deletions(-)

diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index 142dae031f..baac74605a 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -41,8 +41,8 @@ const std::string& OpaqueMgr::TypeID(const OpaqueVal* v) const
 	auto x = _types.find(v->OpaqueName());
 
 	if ( x == _types.end() )
-		reporter->InternalError(fmt("OpaqueMgr::TypeID: opaque type %s not registered",
-					v->OpaqueName()));
+		reporter->InternalError("OpaqueMgr::TypeID: opaque type %s not registered",
+					v->OpaqueName());
 
 	return x->first;
 	}
@@ -122,11 +122,11 @@ BroType* OpaqueVal::UnserializeType(const broker::data& data)
 
 		ID* id = global_scope()->Lookup(name->c_str());
                 if ( ! id )
-			return nullptr;
+					return nullptr;
 
                 BroType* t = id->AsType();
                 if ( ! t )
-			return nullptr;
+					return nullptr;
 
                 return t->Ref();
 		}
@@ -644,12 +644,6 @@ EntropyVal::EntropyVal() : OpaqueVal(entropy_type)
 	{
 	}
 
-Val* EntropyVal::DoClone(CloneState* state)
-	{
-	// Fixme
-	return nullptr;
-	}
-
 bool EntropyVal::Feed(const void* data, size_t size)
 	{
 	state.add(data, size);
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index 805cd1dad6..f07a0f9752 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -21,14 +21,12 @@ public:
 
 	/**
 	 * Return's a unique ID for the type of an opaque value.
-
-	 * @param v opaque value to return type for; it's classmust have been
+	 * @param v opaque value to return type for; its class must have been
 	 * registered with the manager, otherwise this method will abort
-	 * execugtion.
+	 * execution.
 	 *
 	 * @return type ID, which can used with *Instantiate()* to create a
-	 * new
-	 * instnace of the same type.
+	 * new instance of the same type.
 	 */
 	const std::string& TypeID(const OpaqueVal* v) const;
 
@@ -66,8 +64,8 @@ private:
 /** Macro to insert into an OpaqueVal-derived class's declaration. */
 #define DECLARE_OPAQUE_VALUE(T)                            \
     friend class OpaqueMgr::Register<T>;                   \
-    broker::data DoSerialize() const;                      \
-    bool DoUnserialize(const broker::data& data);          \
+    broker::data DoSerialize() const override;             \
+    bool DoUnserialize(const broker::data& data) override; \
     const char* OpaqueName() const override { return #T; } \
     static OpaqueVal* OpaqueInstantiate() { return new T(); }
 
@@ -90,7 +88,7 @@ public:
 	/**
 	 * Serializes the value into a Broker representation.
 	 *
-	 * @return the broker representatio, or an error if serialization
+	 * @return the broker representation, or an error if serialization
 	 * isn't supported or failed.
 	 */
 	broker::expected<broker::data> Serialize() const;
@@ -244,8 +242,6 @@ class EntropyVal : public OpaqueVal {
 public:
 	EntropyVal();
 
-	Val* DoClone(CloneState* state) override;
-
 	bool Feed(const void* data, size_t size);
 	bool Get(double *r_ent, double *r_chisq, double *r_mean,
 		 double *r_montepicalc, double *r_scc);
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 93986306ec..76ebff46df 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1183,7 +1183,8 @@ IMPLEMENT_OPAQUE_VALUE(bro_broker::VectorIterator)
 
 broker::data bro_broker::VectorIterator::DoSerialize() const
 	{
-	return broker::vector{dat, it - dat.begin()};
+	broker::integer difference = it - dat.begin();
+	return broker::vector{dat, difference};
 	}
 
 bool bro_broker::VectorIterator::DoUnserialize(const broker::data& data)
@@ -1193,7 +1194,7 @@ bool bro_broker::VectorIterator::DoUnserialize(const broker::data& data)
 		return false;
 
 	auto x = caf::get_if<broker::vector>(&(*v)[0]);
-	auto y = caf::get_if<broker::vector::difference_type>(&(*v)[1]);
+	auto y = caf::get_if<broker::integer>(&(*v)[1]);
 
 	dat = *x;
 	it = dat.begin() + *y;
@@ -1204,7 +1205,8 @@ IMPLEMENT_OPAQUE_VALUE(bro_broker::RecordIterator)
 
 broker::data bro_broker::RecordIterator::DoSerialize() const
 	{
-	return broker::vector{dat, it - dat.begin()};
+	broker::integer difference = it - dat.begin();
+	return broker::vector{dat, difference};
 	}
 
 bool bro_broker::RecordIterator::DoUnserialize(const broker::data& data)
@@ -1214,7 +1216,7 @@ bool bro_broker::RecordIterator::DoUnserialize(const broker::data& data)
 		return false;
 
 	auto x = caf::get_if<broker::vector>(&(*v)[0]);
-	auto y = caf::get_if<broker::vector::difference_type>(&(*v)[1]);
+	auto y = caf::get_if<broker::integer>(&(*v)[1]);
 
 	dat = *x;
 	it = dat.begin() + *y;
diff --git a/src/probabilistic/BitVector.cc b/src/probabilistic/BitVector.cc
index a7d6bf4f11..9b3a5f66c1 100644
--- a/src/probabilistic/BitVector.cc
+++ b/src/probabilistic/BitVector.cc
@@ -543,7 +543,7 @@ std::unique_ptr<BitVector> BitVector::Unserialize(const broker::data& data)
 		bv->bits.push_back(*x);
 		}
 
-	return std::move(bv);
+	return bv;
 	}
 
 BitVector::size_type BitVector::lowest_bit(block_type block)
diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc
index 2148fac556..d788c4736f 100644
--- a/src/probabilistic/BloomFilter.cc
+++ b/src/probabilistic/BloomFilter.cc
@@ -70,7 +70,7 @@ std::unique_ptr<BloomFilter> BloomFilter::Unserialize(const broker::data& data)
 		return nullptr;
 
 	bf->hasher = hasher_.release();
-	return std::move(bf);
+	return bf;
 	}
 
 size_t BasicBloomFilter::M(double fp, size_t capacity)
diff --git a/src/probabilistic/CardinalityCounter.cc b/src/probabilistic/CardinalityCounter.cc
index bcb9579ec2..a256673b79 100644
--- a/src/probabilistic/CardinalityCounter.cc
+++ b/src/probabilistic/CardinalityCounter.cc
@@ -234,7 +234,7 @@ std::unique_ptr<CardinalityCounter> CardinalityCounter::Unserialize(const broker
 		cc->buckets.push_back(*x);
 		}
 
-	return std::move(cc);
+	return cc;
 	}
 
 /**
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index ec307f33f2..500862c3ba 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -179,7 +179,7 @@ std::unique_ptr<CounterVector> CounterVector::Unserialize(const broker::data& da
 	auto cv = std::unique_ptr<CounterVector>(new CounterVector());
 	cv->width = *width;
 	cv->bits = bits.release();
-	return std::move(cv);
+	return cv;
 	}
 
 
diff --git a/src/probabilistic/Hasher.cc b/src/probabilistic/Hasher.cc
index ffa60dacfd..9228cb3d02 100644
--- a/src/probabilistic/Hasher.cc
+++ b/src/probabilistic/Hasher.cc
@@ -84,7 +84,7 @@ std::unique_ptr<Hasher> Hasher::Unserialize(const broker::data& data)
 	// their own. They reconstruct all their information from their
 	// constructors' arguments.
 
-	return std::move(hasher);
+	return hasher;
 	}
 
 UHF::UHF()

From 502ad9abc38bb2b7421ac23dd68f47f52b3c610c Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 14 Jun 2019 11:23:28 -0700
Subject: [PATCH 73/91] Add ability to grow/shrink a vector using slicing, also
 adds Insert/Remove methods for VectorVal

---
 src/Expr.cc                                | 20 +++++++-----
 src/Val.cc                                 | 38 ++++++++++++++++++++++
 src/Val.h                                  |  6 ++++
 testing/btest/Baseline/language.vector/out |  2 ++
 testing/btest/language/vector.zeek         |  4 +++
 5 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 768d70ef0b..ea8253e347 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3201,24 +3201,26 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 	case TYPE_VECTOR:
 		{
 		const ListVal *lv = v2->AsListVal();
+		VectorVal* v1_vect = v1->AsVectorVal();
 
 		if ( lv->Length() > 1 )
 			{
-			int len = v1->AsVectorVal()->Size();
+			int len = v1_vect->Size();
 			bro_int_t first = get_slice_index(lv->Index(0)->CoerceToInt(), len);
 			bro_int_t last = get_slice_index(lv->Index(1)->CoerceToInt(), len);
-			int slice_length = last - first;
 
-			const VectorVal *v_vect = v->AsVectorVal();
-			if ( slice_length != v_vect->Size())
-				RuntimeError("vector being assigned to slice does not match size of slice");
-			else if ( slice_length >= 0 )
+			// Remove the elements from the vector within the slice
+			for ( int idx = first; idx < last; idx++ )
+				v1_vect->Remove(first);
+
+			// Insert the new elements starting at the first position
+			VectorVal* v_vect = v->AsVectorVal();
+			for ( int idx = 0; idx < v_vect->Size(); idx++, first++ )
 				{
-				for ( int idx = first; idx < last; idx++ )
-					v1->AsVectorVal()->Assign(idx, v_vect->Lookup(idx - first)->Ref(), op);
+				v1_vect->Insert(first, v_vect->Lookup(idx)->Ref());
 				}
 			}
-		else if ( !v1->AsVectorVal()->Assign(v2, v, op))
+		else if ( !v1_vect->Assign(v2, v, op) )
 			{
 			if ( v )
 				{
diff --git a/src/Val.cc b/src/Val.cc
index bb9a3d1601..0a6c7dd985 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3407,6 +3407,44 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 	return true;
 	}
 
+bool VectorVal::Insert(unsigned int index, Val* element)
+	{
+	if ( element &&
+	     ! same_type(element->Type(), vector_type->YieldType(), 0) )
+		{
+		Unref(element);
+		return false;
+		}
+
+	vector<Val*>::iterator it;
+	if ( index < val.vector_val->size() )
+		it = std::next(val.vector_val->begin(), index);
+	else
+		it = val.vector_val->end();
+
+	// Note: we do *not* Ref() the element, if any, at this point.
+	// AssignExpr::Eval() already does this; other callers must remember
+	// to do it similarly.
+	val.vector_val->insert(it, element);
+
+	Modified();
+	return true;
+	}
+
+bool VectorVal::Remove(unsigned int index)
+	{
+	if ( index >= val.vector_val->size() )
+		return false;
+
+	Val* val_at_index = (*val.vector_val)[index];
+	auto it = std::next(val.vector_val->begin(), index);
+	val.vector_val->erase(it);
+	Unref(val_at_index);
+
+	Modified();
+	return true;
+	}
+
 int VectorVal::AddTo(Val* val, int /* is_first_init */) const
 	{
 	if ( val->Type()->Tag() != TYPE_VECTOR )
diff --git a/src/Val.h b/src/Val.h
index 2890c4c5e8..20302e3a9d 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -1194,6 +1194,12 @@ public:
 	// Won't shrink size.
 	unsigned int ResizeAtLeast(unsigned int new_num_elements);
 
+	// Insert an element at a specific position into the underlying vector.
+	bool Insert(unsigned int index, Val* element);
+
+	// Removes an element or a range of elements from a specific position.
+	bool Remove(unsigned int start_index);
+
 protected:
 	friend class Val;
 	VectorVal()	{ }
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index cfd9b75413..2955eda26c 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -65,3 +65,5 @@ slicing (PASS)
 slicing (PASS)
 slicing assignment (PASS)
 slicing assignment (PASS)
+slicing assignment grow (PASS)
+slicing assignment shrink (PASS)
diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek
index e8b3f68e76..ea330f3842 100644
--- a/testing/btest/language/vector.zeek
+++ b/testing/btest/language/vector.zeek
@@ -179,4 +179,8 @@ event zeek_init()
 	test_case( "slicing assignment", all_set(v17 == vector(6, 2, 3, 4, 5)) );
 	v17[2:4] = vector(7, 8);
 	test_case( "slicing assignment", all_set(v17 == vector(6, 2, 7, 8, 5)) );
+	v17[2:4] = vector(9, 10, 11);
+	test_case( "slicing assignment grow", all_set(v17 == vector(6, 2, 9, 10, 11, 5)) );
+	v17[2:5] = vector(9);
+	test_case( "slicing assignment shrink", all_set(v17 == vector(6, 2, 9, 5)) );
 }

From ca28b98fd4c0d0116f303749d0c9384887bac573 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 18 Jun 2019 08:59:31 -0700
Subject: [PATCH 74/91] Fix cardinalitycounter deserialization.

This one took me way too long to admit. Values were pushed back on
deserialization - instead of assigned. Meaning they were added to the
end of the already 0-assigned vector.

The mean thing here is that estimation still worked - just merging
resulted in 0. And estimation still was correct because m, V, alpha_m
are enough for this - and those were correctly copied...

With this change, all tests pass.
---
 src/probabilistic/CardinalityCounter.cc             | 13 ++++++++-----
 src/probabilistic/cardinality-counter.bif           |  2 +-
 testing/btest/Baseline/broker.opaque/out            |  1 +
 .../btest/Baseline/language.copy-all-opaques/out    |  1 +
 testing/btest/broker/opaque.zeek                    |  4 ++++
 testing/btest/language/copy-all-opaques.zeek        |  4 ++++
 6 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/probabilistic/CardinalityCounter.cc b/src/probabilistic/CardinalityCounter.cc
index a256673b79..304bf5151d 100644
--- a/src/probabilistic/CardinalityCounter.cc
+++ b/src/probabilistic/CardinalityCounter.cc
@@ -201,10 +201,10 @@ broker::expected<broker::data> CardinalityCounter::Serialize() const
 	broker::vector v = {m, V, alpha_m};
 	v.reserve(3 + m);
 
-        for ( size_t i = 0; i < m; ++i )
+	for ( size_t i = 0; i < m; ++i )
 		v.emplace_back(static_cast<uint64>(buckets[i]));
 
-        return {v};
+	return {v};
 	}
 
 std::unique_ptr<CardinalityCounter> CardinalityCounter::Unserialize(const broker::data& data)
@@ -219,19 +219,22 @@ std::unique_ptr<CardinalityCounter> CardinalityCounter::Unserialize(const broker
 
 	if ( ! (m && V && alpha_m) )
 		return nullptr;
-
 	if ( v->size() != 3 + *m )
 		return nullptr;
 
 	auto cc = std::unique_ptr<CardinalityCounter>(new CardinalityCounter(*m, *V, *alpha_m));
+	if ( *m != cc->m )
+		return nullptr;
+	if ( cc->buckets.size() != * m )
+		return nullptr;
 
-        for ( size_t i = 0; i < *m; ++i )
+	for ( size_t i = 0; i < *m; ++i )
 		{
 		auto x = caf::get_if<uint64>(&(*v)[3 + i]);
 		if ( ! x )
 			return nullptr;
 
-		cc->buckets.push_back(*x);
+		cc->buckets[i] = *x;
 		}
 
 	return cc;
diff --git a/src/probabilistic/cardinality-counter.bif b/src/probabilistic/cardinality-counter.bif
index 2fa7953c9e..1e12765b57 100644
--- a/src/probabilistic/cardinality-counter.bif
+++ b/src/probabilistic/cardinality-counter.bif
@@ -90,7 +90,7 @@ function hll_cardinality_merge_into%(handle1: opaque of cardinality, handle2: op
 	bool res = h1->Merge(h2);
 	if ( ! res )
 		{
-		reporter->Error("Carinality counters with different parameters cannot be merged");
+		reporter->Error("Cardinality counters with different parameters cannot be merged");
 		return val_mgr->GetBool(0);
 		}
 
diff --git a/testing/btest/Baseline/broker.opaque/out b/testing/btest/Baseline/broker.opaque/out
index f35f4e3284..4582e8dc2b 100644
--- a/testing/btest/Baseline/broker.opaque/out
+++ b/testing/btest/Baseline/broker.opaque/out
@@ -4,6 +4,7 @@
 ============ HLL
 3.000069
 3.000069
+3.000069
 ============ Bloom
 0
 1
diff --git a/testing/btest/Baseline/language.copy-all-opaques/out b/testing/btest/Baseline/language.copy-all-opaques/out
index ad38ca1a8d..68b12cecac 100644
--- a/testing/btest/Baseline/language.copy-all-opaques/out
+++ b/testing/btest/Baseline/language.copy-all-opaques/out
@@ -4,6 +4,7 @@
 ============ HLL
 3.000069
 3.000069
+3.000069
 ============ Bloom
 0
 1
diff --git a/testing/btest/broker/opaque.zeek b/testing/btest/broker/opaque.zeek
index f65fc191dd..bddd68e0be 100644
--- a/testing/btest/broker/opaque.zeek
+++ b/testing/btest/broker/opaque.zeek
@@ -26,6 +26,10 @@ event zeek_init()
 	hll_cardinality_add(c1, 2004);
 	print hll_cardinality_estimate(c2);
 
+	local c3 = hll_cardinality_init(0.01, 0.95);
+	hll_cardinality_merge_into(c3, c2);
+	print hll_cardinality_estimate(c3);
+
 	print "============ Bloom";
 	local bf_cnt = bloomfilter_basic_init(0.1, 1000);
 	bloomfilter_add(bf_cnt, 42);
diff --git a/testing/btest/language/copy-all-opaques.zeek b/testing/btest/language/copy-all-opaques.zeek
index 25ca89fd80..06b4a07471 100644
--- a/testing/btest/language/copy-all-opaques.zeek
+++ b/testing/btest/language/copy-all-opaques.zeek
@@ -27,6 +27,10 @@ event zeek_init()
 	hll_cardinality_add(c1, 2004);
 	print hll_cardinality_estimate(c2);
 
+	local c3 = hll_cardinality_init(0.01, 0.95);
+	hll_cardinality_merge_into(c3, c2);
+	print hll_cardinality_estimate(c3);
+
 	print "============ Bloom";
 	local bf_cnt = bloomfilter_basic_init(0.1, 1000);
 	bloomfilter_add(bf_cnt, 42);

From c068daa258b159c3b994ab7317774bdb533ea1db Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 18 Jun 2019 10:14:19 -0700
Subject: [PATCH 75/91] Remove remnants of event serializer.

---
 NEWS         |  9 +++++++++
 src/Event.cc |  7 -------
 src/main.cc  | 18 +-----------------
 src/zeek.bif | 15 ---------------
 4 files changed, 10 insertions(+), 39 deletions(-)

diff --git a/NEWS b/NEWS
index a8fd5ae970..c2d0411e25 100644
--- a/NEWS
+++ b/NEWS
@@ -427,8 +427,17 @@ Removed Functionality
   and &rotate_size attributes, which were deprecated in Bro 2.6, was removed. The ``-g``
   command-line option (dump-config) which relied on this functionality was also removed.
 
+- Functionality for writing state updates for variables with the &synchronized attribute was
+  removed. This entails the ``-x`` command-line option (print-state) as well as the ``capture_state_updates``
+	function.
+
 - Removed the BroControl ``update`` command, which was deprecated in Bro 2.6.
 
+- Functionality for writing/reading binary event streams was removed. This functionality relied
+  on the old communication code anc was basically untested. The ``-R`` command-line option (replay)
+  as well as the ``capture_events`` function were removed.
+
+
 Deprecated Functionality
 ------------------------
 
diff --git a/src/Event.cc b/src/Event.cc
index 8ac7b3a53a..2389c618d7 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -58,13 +58,6 @@ void Event::Dispatch(bool no_remote)
 	if ( src == SOURCE_BROKER )
 		no_remote = true;
 
-	/* Fixme: johanna
-	if ( event_serializer )
-		{
-		SerialInfo info(event_serializer);
-		event_serializer->Serialize(&info, handler->Name(), &args);
-		} */
-
 	if ( handler->ErrorHandler() )
 		reporter->BeginErrorHandler();
 
diff --git a/src/main.cc b/src/main.cc
index f4830cdb17..e69aa70909 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -98,9 +98,6 @@ name_list prefixes;
 Stmt* stmts;
 EventHandlerPtr net_done = 0;
 RuleMatcher* rule_matcher = 0;
-// Fixme: Johanna
-// FileSerializer* event_serializer = 0;
-// EventPlayer* event_player = 0;
 EventRegistry* event_registry = 0;
 ProfileLogger* profiling_logger = 0;
 ProfileLogger* segment_logger = 0;
@@ -178,7 +175,6 @@ void usage(int code = 1)
 	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN for verbose)\n");
 	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
 	fprintf(stderr, "    -Q|--time                      | print execution time summary to stderr\n");
-	fprintf(stderr, "    -R|--replay <events.bst>       | replay events\n");
 	fprintf(stderr, "    -S|--debug-rules               | enable rule debugging\n");
 	fprintf(stderr, "    -T|--re-level <level>          | set 'RE_level' for rules\n");
 	fprintf(stderr, "    -U|--status-file <file>        | Record process status in file\n");
@@ -348,8 +344,6 @@ void terminate_bro()
 
 	delete zeekygen_mgr;
 	delete timer_mgr;
-	// Fixme: johanna
-	// delete event_serializer;
 	delete event_registry;
 	delete analyzer_mgr;
 	delete file_mgr;
@@ -420,7 +414,6 @@ int main(int argc, char** argv)
 	name_list read_files;
 	name_list rule_files;
 	char* id_name = 0;
-	char* events_file = 0;
 
 	char* seed_load_file = zeekenv("ZEEK_SEED_FILE");
 	char* seed_save_file = 0;
@@ -457,7 +450,6 @@ int main(int argc, char** argv)
 		{"print-plugins",	no_argument,		0,	'N'},
 		{"prime-dns",		no_argument,		0,	'P'},
 		{"time",		no_argument,		0,	'Q'},
-		{"replay",		required_argument,	0,	'R'},
 		{"debug-rules",		no_argument,		0,	'S'},
 		{"re-level",		required_argument,	0,	'T'},
 		{"watchdog",		no_argument,		0,	'W'},
@@ -508,7 +500,7 @@ int main(int argc, char** argv)
 	opterr = 0;
 
 	char opts[256];
-	safe_strncpy(opts, "B:e:f:G:H:I:i:n:p:R:r:s:T:t:U:w:x:X:CFNPQSWabdghv",
+	safe_strncpy(opts, "B:e:f:G:H:I:i:n:p:r:s:T:t:U:w:X:CFNPQSWabdhv",
 		     sizeof(opts));
 
 #ifdef USE_PERFTOOLS_DEBUG
@@ -619,10 +611,6 @@ int main(int argc, char** argv)
 			time_bro = 1;
 			break;
 
-		case 'R':
-			events_file = optarg;
-			break;
-
 		case 'S':
 			rule_debug = 1;
 			break;
@@ -787,10 +775,6 @@ int main(int argc, char** argv)
 
 	plugin_mgr->ActivateDynamicPlugins(! bare_mode);
 
-	// Fixme: Johanna
-	// if ( events_file )
-	//	event_player = new EventPlayer(events_file);
-
 	init_event_handlers();
 
 	md5_type = new OpaqueType("md5");
diff --git a/src/zeek.bif b/src/zeek.bif
index 9e8c0f2c18..139c77f955 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -4912,21 +4912,6 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 	return val_mgr->GetBool(sessions->GetPacketFilter()->RemoveDst(snet));
 	%}
 
-## Writes the binary event stream generated by the core to a given file.
-## Use the ``-R <filename>`` command line switch to replay saved events.
-##
-## filename: The name of the file which stores the events.
-##
-## Returns: True if opening the target file succeeds.
-##
-## .. zeek:see:: capture_state_updates
-function capture_events%(filename: string%) : bool
-	%{
-	// Fixme: johanna
-
-	return val_mgr->GetBool(true);
-	%}
-
 ## Checks whether the last raised event came from a remote peer.
 ##
 ## Returns: True if the last raised event came from a remote peer.

From 446b5cb90eede5691901bfeced2956ea5a644b82 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 18 Jun 2019 11:09:16 -0700
Subject: [PATCH 76/91] Remove opaque of ocsp_resp.

Only used in one event, without any way to use the opaque for anything
else. At this point this just seems like a complication that has no
reason to be there.
---
 NEWS                                          |  5 ++
 src/file_analysis/analyzer/x509/OCSP.cc       | 57 +------------------
 src/file_analysis/analyzer/x509/OCSP.h        | 18 +-----
 .../analyzer/x509/ocsp_events.bif             |  5 +-
 testing/btest/Baseline/broker.opaque/out      |  1 -
 testing/btest/broker/opaque.zeek              |  3 -
 .../base/protocols/ssl/ocsp-http-get.test     |  2 +-
 .../base/protocols/ssl/ocsp-request-only.test |  2 +-
 .../protocols/ssl/ocsp-request-response.test  |  2 +-
 .../protocols/ssl/ocsp-response-only.test     |  2 +-
 .../base/protocols/ssl/ocsp-revoked.test      |  2 +-
 11 files changed, 14 insertions(+), 85 deletions(-)

diff --git a/NEWS b/NEWS
index c2d0411e25..ac4bfa3c07 100644
--- a/NEWS
+++ b/NEWS
@@ -319,6 +319,11 @@ Changed Functionality
   - logging
     - bro/logs/<stream>
 
+- The ``resp_ref`` argument was removed from the ``ocsp_response_bytes``
+  event. ``resp_ref`` was not used by anything in the codebase and could not be
+  passed to any other functions for further processing. The remainder of the
+	``ocsp_response_bytes`` is unchanged.
+
 Removed Functionality
 ---------------------
 
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 269126c9d9..69898143ce 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -175,9 +175,7 @@ bool file_analysis::OCSP::EndOfFile()
 			return false;
 			}
 
-		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
-		ParseResponse(resp_val);
-		Unref(resp_val);
+		ParseResponse(resp);
 		}
 
 	return true;
@@ -449,9 +447,8 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 	BIO_free(bio);
 }
 
-void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
+void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	{
-	OCSP_RESPONSE   *resp       = resp_val->GetResp();
 	//OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
 	OCSP_BASICRESP  *basic_resp = nullptr;
 	OCSP_RESPDATA   *resp_data  = nullptr;
@@ -506,7 +503,6 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 #endif
 
 	vl.append(GetFile()->GetVal()->Ref());
-	vl.append(resp_val->Ref());
 	vl.append(status_val);
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
@@ -690,52 +686,3 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 		ParseSignedCertificateTimestamps(ex);
 	}
 
-OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
-	{
-	ocsp_resp = arg_ocsp_resp;
-	}
-
-OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
-	{
-	ocsp_resp = nullptr;
-	}
-
-OCSP_RESPVal::~OCSP_RESPVal()
-	{
-	if (ocsp_resp)
-		OCSP_RESPONSE_free(ocsp_resp);
-	}
-
-OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
-	{
-	return ocsp_resp;
-	}
-
-IMPLEMENT_OPAQUE_VALUE(OCSP_RESPVal)
-
-broker::data OCSP_RESPVal::DoSerialize() const
-	{
-        unsigned char *buf = NULL;
-        int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
-        if ( length < 0 )
-                return broker::none();
-
-	auto d = std::string(reinterpret_cast<const char*>(buf), length);
-        OPENSSL_free(buf);
-
-	return d;
-	}
-
-bool OCSP_RESPVal::DoUnserialize(const broker::data& data)
-	{
-	if ( caf::get_if<broker::none>(&data) )
-		return false;
-
-	auto s = caf::get_if<std::string>(&data);
-	if ( ! s )
-		return false;
-
-	auto opensslbuf = reinterpret_cast<const unsigned char*>(s->data());
-        ocsp_resp = d2i_OCSP_RESPONSE(NULL, &opensslbuf, s->size());
-	return (ocsp_resp != nullptr);
-	}
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index 4f706b8f64..c2cc0f6e5d 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -5,7 +5,6 @@
 
 #include <string>
 
-#include "OpaqueVal.h"
 #include "../File.h"
 #include "Analyzer.h"
 #include "X509Common.h"
@@ -14,8 +13,6 @@
 
 namespace file_analysis {
 
-class OCSP_RESPVal;
-
 class OCSP : public file_analysis::X509Common {
 public:
 	bool DeliverStream(const u_char* data, uint64 len) override;
@@ -29,7 +26,7 @@ protected:
 	OCSP(RecordVal* args, File* file, bool request);
 
 private:
-	void ParseResponse(OCSP_RESPVal*);
+	void ParseResponse(OCSP_RESPONSE*);
 	void ParseRequest(OCSP_REQUEST*);
 	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
@@ -37,19 +34,6 @@ private:
 	bool request = false; // true if ocsp request, false if reply
 };
 
-class OCSP_RESPVal: public OpaqueVal {
-public:
-	explicit OCSP_RESPVal(OCSP_RESPONSE *);
-	~OCSP_RESPVal() override;
-	OCSP_RESPONSE *GetResp() const;
-protected:
-	OCSP_RESPVal();
-
-	DECLARE_OPAQUE_VALUE(OCSP_RESPVal)
-private:
-	OCSP_RESPONSE *ocsp_resp;
-};
-
 }
 
 #endif
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
index 564126b2bb..fe17344490 100644
--- a/src/file_analysis/analyzer/x509/ocsp_events.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -52,9 +52,6 @@ event ocsp_response_status%(f: fa_file, status: string%);
 ##
 ## f: The file.
 ##
-## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
-##          OCSP response.
-##
 ## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
 ##
 ## version: Version of the OCSP response (typically - for version 1).
@@ -71,7 +68,7 @@ event ocsp_response_status%(f: fa_file, status: string%);
 ## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
 ##              ocsp_response_certificate ocsp_extension
 ##              x509_ocsp_ext_signed_certificate_timestamp
-event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+event ocsp_response_bytes%(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
 
 ## This event is raised for each SingleResponse contained in an OCSP response.
 ## See :rfc:`6960` for more details on OCSP.
diff --git a/testing/btest/Baseline/broker.opaque/out b/testing/btest/Baseline/broker.opaque/out
index 4582e8dc2b..35bf821c47 100644
--- a/testing/btest/Baseline/broker.opaque/out
+++ b/testing/btest/Baseline/broker.opaque/out
@@ -20,7 +20,6 @@
 ============ X509
 [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
-============ OCSP_RESPVal
 ============ Entropy
 [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
 [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
diff --git a/testing/btest/broker/opaque.zeek b/testing/btest/broker/opaque.zeek
index bddd68e0be..e0a3bef6c7 100644
--- a/testing/btest/broker/opaque.zeek
+++ b/testing/btest/broker/opaque.zeek
@@ -75,9 +75,6 @@ event zeek_init()
 	print x509_parse(x509);
 	print x509_parse(x5092);
 
-	print "============ OCSP_RESPVal";
-	# TODO: Not sure how to test?
-
 	print "============ Entropy";
 	local handle = entropy_test_init();
 	entropy_test_add(handle, "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f");
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
index 747c1a667c..6b4b034c69 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
index 348da52f96..5106a17c75 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -31,7 +31,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
index 1942b57bad..67f62e451d 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
index 871ac59a34..568915d7aa 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
index 5f5f1486ea..e26bae59a5 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}

From 53cde131e977a3a640a3d55b2e6b35ac7461e08e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 18 Jun 2019 14:37:09 -0700
Subject: [PATCH 77/91] Add missing ShallowClone implementation for SetType

It turns out that SetType was missing a ShallowClone implementation.
Which meant that when a SetType was cloned, a TableType was received
(which has one less member). Which resulted in invalid memory accesses
when using the clone.

Thank you valgrind :)
---
 src/Type.cc | 13 +++++++++++++
 src/Type.h  |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/src/Type.cc b/src/Type.cc
index fdcbddf9c7..f5a93c3315 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -484,6 +484,19 @@ SetType::SetType(TypeList* ind, ListExpr* arg_elements) : TableType(ind, 0)
 		}
 	}
 
+SetType* SetType::ShallowClone()
+	{
+	// constructor only consumes indices when elements
+	// is set
+	if ( elements && indices )
+		{
+		elements->Ref();
+		indices->Ref();
+		}
+
+	return new SetType(indices, elements);
+	}
+
 SetType::~SetType()
 	{
 	Unref(elements);
diff --git a/src/Type.h b/src/Type.h
index a97f7360c8..043ec5c928 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -381,6 +381,8 @@ public:
 	SetType(TypeList* ind, ListExpr* arg_elements);
 	~SetType() override;
 
+	SetType* ShallowClone() override;
+
 	ListExpr* SetElements() const	{ return elements; }
 
 protected:

From e0f10fd6d3db7a8ff4d16dc4e3d55732fdc41b73 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 18 Jun 2019 15:23:02 -0700
Subject: [PATCH 78/91] Change return value of OpaqueVal::DoSerialize.

Now it returns a broker::expected<broker::data>, instead of directly
returning a broker::data before. This means that broker::data does no
longer have to be abused to convey error information.

In a way it would be kind of neat to have more fine-granular broker error
types for this use-case - at the moment everything returns
broker::ec::invalid_data, which seems to be the only reasonable choice.
---
 src/OpaqueVal.cc                        | 26 ++++++++++++-------------
 src/OpaqueVal.h                         | 20 +++++++++++--------
 src/broker/Data.cc                      | 10 +++++-----
 src/broker/Store.cc                     |  4 ++--
 src/file_analysis/analyzer/x509/X509.cc | 10 +++++-----
 src/probabilistic/Topk.cc               |  6 +++---
 6 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index baac74605a..81a836754b 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -58,10 +58,10 @@ broker::expected<broker::data> OpaqueVal::Serialize() const
 	auto type = OpaqueMgr::mgr()->TypeID(this);
 
 	auto d = DoSerialize();
-	if ( d == broker::none() )
-		return broker::ec::invalid_data; // Cannot serialize
+	if ( !d )
+		return d.error();
 
-	return {broker::vector{std::move(type), std::move(d)}};
+	return {broker::vector{std::move(type), std::move(*d)}};
 	}
 
 OpaqueVal* OpaqueVal::Unserialize(const broker::data& data)
@@ -288,7 +288,7 @@ StringVal* MD5Val::DoGet()
 
 IMPLEMENT_OPAQUE_VALUE(MD5Val)
 
-broker::data MD5Val::DoSerialize() const
+broker::expected<broker::data> MD5Val::DoSerialize() const
 	{
 	if ( ! IsValid() )
 		return broker::vector{false};
@@ -429,7 +429,7 @@ StringVal* SHA1Val::DoGet()
 
 IMPLEMENT_OPAQUE_VALUE(SHA1Val)
 
-broker::data SHA1Val::DoSerialize() const
+broker::expected<broker::data> SHA1Val::DoSerialize() const
 	{
 	if ( ! IsValid() )
 		return broker::vector{false};
@@ -573,7 +573,7 @@ StringVal* SHA256Val::DoGet()
 
 IMPLEMENT_OPAQUE_VALUE(SHA256Val)
 
-broker::data SHA256Val::DoSerialize() const
+broker::expected<broker::data> SHA256Val::DoSerialize() const
 	{
 	if ( ! IsValid() )
 		return broker::vector{false};
@@ -659,7 +659,7 @@ bool EntropyVal::Get(double *r_ent, double *r_chisq, double *r_mean,
 
 IMPLEMENT_OPAQUE_VALUE(EntropyVal)
 
-broker::data EntropyVal::DoSerialize() const
+broker::expected<broker::data> EntropyVal::DoSerialize() const
 	{
 	broker::vector d =
 		{
@@ -872,7 +872,7 @@ BloomFilterVal::~BloomFilterVal()
 
 IMPLEMENT_OPAQUE_VALUE(BloomFilterVal)
 
-broker::data BloomFilterVal::DoSerialize() const
+broker::expected<broker::data> BloomFilterVal::DoSerialize() const
 	{
 	broker::vector d;
 
@@ -880,7 +880,7 @@ broker::data BloomFilterVal::DoSerialize() const
 		{
 		auto t = SerializeType(type);
 		if ( t == broker::none() )
-			return broker::none();
+			return broker::ec::invalid_data;
 
 		d.emplace_back(t);
 		}
@@ -889,7 +889,7 @@ broker::data BloomFilterVal::DoSerialize() const
 
 	auto bf = bloom_filter->Serialize();
 	if ( ! bf )
-		return broker::none();
+		return broker::ec::invalid_data; // Cannot serialize;
 
 	d.emplace_back(*bf);
 	return d;
@@ -976,7 +976,7 @@ void CardinalityVal::Add(const Val* val)
 
 IMPLEMENT_OPAQUE_VALUE(CardinalityVal)
 
-broker::data CardinalityVal::DoSerialize() const
+broker::expected<broker::data> CardinalityVal::DoSerialize() const
 	{
 	broker::vector d;
 
@@ -984,7 +984,7 @@ broker::data CardinalityVal::DoSerialize() const
 		{
 		auto t = SerializeType(type);
 		if ( t == broker::none() )
-			return broker::none();
+			return broker::ec::invalid_data;
 
 		d.emplace_back(t);
 		}
@@ -993,7 +993,7 @@ broker::data CardinalityVal::DoSerialize() const
 
 	auto cs = c->Serialize();
 	if ( ! cs )
-		return broker::none();
+		return broker::ec::invalid_data;
 
 	d.emplace_back(*cs);
 	return d;
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index f07a0f9752..720d502aaa 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -64,7 +64,7 @@ private:
 /** Macro to insert into an OpaqueVal-derived class's declaration. */
 #define DECLARE_OPAQUE_VALUE(T)                            \
     friend class OpaqueMgr::Register<T>;                   \
-    broker::data DoSerialize() const override;             \
+    broker::expected<broker::data> DoSerialize() const override;             \
     bool DoUnserialize(const broker::data& data) override; \
     const char* OpaqueName() const override { return #T; } \
     static OpaqueVal* OpaqueInstantiate() { return new T(); }
@@ -97,7 +97,7 @@ public:
 	 * Reinstantiates a value from its serialized Broker representation.
 	 *
 	 * @param data Broker representation as returned by *Serialize()*.
-	 * @return unserialized instances with referecnce count at +1
+	 * @return unserialized instances with reference count at +1
 	 */
 	static OpaqueVal* Unserialize(const broker::data& data);
 
@@ -107,15 +107,19 @@ protected:
 	OpaqueVal() { }
 
 	/**
-	 * Must be overriden to provide a serialized version of the derived
-	 * class' state. Returns 'broker::none()' if serialization fails, or
-	 * is not supported.
+	 * Must be overridden to provide a serialized version of the derived
+	 * class' state.
+	 *
+	 * @return the serialized data or an error if serialization
+	 * isn't supported or failed.
 	 */
-	virtual broker::data DoSerialize() const = 0;
+	virtual broker::expected<broker::data> DoSerialize() const = 0;
 
 	/**
-	 * Must be overriden to recreate the the derived class' state from a
-	 * serialization. Returns true if successfull.
+	 * Must be overridden to recreate the the derived class' state from a
+	 * serialization.
+	 *
+	 * @return true if successful.
 	 */
 	virtual bool DoUnserialize(const broker::data& data) = 0;
 
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 76ebff46df..385dbe5381 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1114,7 +1114,7 @@ Val* bro_broker::DataVal::castTo(BroType* t)
 
 IMPLEMENT_OPAQUE_VALUE(bro_broker::DataVal)
 
-broker::data bro_broker::DataVal::DoSerialize() const
+broker::expected<broker::data> bro_broker::DataVal::DoSerialize() const
 	{
 	return data;
 	}
@@ -1127,7 +1127,7 @@ bool bro_broker::DataVal::DoUnserialize(const broker::data& data_)
 
 IMPLEMENT_OPAQUE_VALUE(bro_broker::SetIterator)
 
-broker::data bro_broker::SetIterator::DoSerialize() const
+broker::expected<broker::data> bro_broker::SetIterator::DoSerialize() const
 	{
 	return broker::vector{dat, *it};
 	}
@@ -1154,7 +1154,7 @@ bool bro_broker::SetIterator::DoUnserialize(const broker::data& data)
 
 IMPLEMENT_OPAQUE_VALUE(bro_broker::TableIterator)
 
-broker::data bro_broker::TableIterator::DoSerialize() const
+broker::expected<broker::data> bro_broker::TableIterator::DoSerialize() const
 	{
 	return broker::vector{dat, it->first};
 	}
@@ -1181,7 +1181,7 @@ bool bro_broker::TableIterator::DoUnserialize(const broker::data& data)
 
 IMPLEMENT_OPAQUE_VALUE(bro_broker::VectorIterator)
 
-broker::data bro_broker::VectorIterator::DoSerialize() const
+broker::expected<broker::data> bro_broker::VectorIterator::DoSerialize() const
 	{
 	broker::integer difference = it - dat.begin();
 	return broker::vector{dat, difference};
@@ -1203,7 +1203,7 @@ bool bro_broker::VectorIterator::DoUnserialize(const broker::data& data)
 
 IMPLEMENT_OPAQUE_VALUE(bro_broker::RecordIterator)
 
-broker::data bro_broker::RecordIterator::DoSerialize() const
+broker::expected<broker::data> bro_broker::RecordIterator::DoSerialize() const
 	{
 	broker::integer difference = it - dat.begin();
 	return broker::vector{dat, difference};
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index 7462485bc3..2f61b14d37 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -51,10 +51,10 @@ void StoreHandleVal::ValDescribe(ODesc* d) const
 
 IMPLEMENT_OPAQUE_VALUE(StoreHandleVal)
 
-broker::data StoreHandleVal::DoSerialize() const
+broker::expected<broker::data> StoreHandleVal::DoSerialize() const
 	{
 	// Cannot serialize.
-	return broker::none();
+	return broker::ec::invalid_data;
 	}
 
 bool StoreHandleVal::DoUnserialize(const broker::data& data)
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index a46894dd9c..b2bd1a25e8 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -491,13 +491,13 @@ Val* X509Val::DoClone(CloneState* state)
 
 IMPLEMENT_OPAQUE_VALUE(X509Val)
 
-broker::data X509Val::DoSerialize() const
+broker::expected<broker::data> X509Val::DoSerialize() const
 	{
-        unsigned char *buf = NULL;
-        int length = i2d_X509(certificate, &buf);
+	unsigned char *buf = NULL;
+	int length = i2d_X509(certificate, &buf);
 
-        if ( length < 0 )
-                return broker::none();
+	if ( length < 0 )
+		return broker::ec::invalid_data;
 
 	auto d = std::string(reinterpret_cast<const char*>(buf), length);
         OPENSSL_free(buf);
diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc
index 62ff96fe8a..3e08bed6d9 100644
--- a/src/probabilistic/Topk.cc
+++ b/src/probabilistic/Topk.cc
@@ -408,7 +408,7 @@ void TopkVal::IncrementCounter(Element* e, unsigned int count)
 
 IMPLEMENT_OPAQUE_VALUE(TopkVal)
 
-broker::data TopkVal::DoSerialize() const
+broker::expected<broker::data> TopkVal::DoSerialize() const
 	{
 	broker::vector d = {size, numElements, pruned};
 
@@ -416,7 +416,7 @@ broker::data TopkVal::DoSerialize() const
 		{
 		auto t = SerializeType(type);
 		if ( t == broker::none() )
-			return broker::none();
+			return broker::ec::invalid_data;
 
 		d.emplace_back(t);
 		}
@@ -440,7 +440,7 @@ broker::data TopkVal::DoSerialize() const
 			d.emplace_back(element->epsilon);
 			auto v = bro_broker::val_to_data(element->value);
 			if ( ! v )
-				return broker::none();
+				return broker::ec::invalid_data;
 
 			d.emplace_back(*v);
 

From 91835752b74234ba455445855bb0ccd0dd6721b8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 18 Jun 2019 17:25:32 -0700
Subject: [PATCH 79/91] Misc. tweaks to vector slicing implementation

* Minor style/format changes

* Fix a signed/unsigned comparison compiler warning

* Use a non-fatal error for non-integral slice indices so we can
  report any further scripting errors instead of stopping the parse
  right there
---
 NEWS        |  6 ++++++
 src/Expr.cc | 13 ++++++-------
 src/Val.cc  |  1 +
 src/Val.h   |  4 ++--
 src/parse.y |  4 +++-
 5 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 6abb21c055..7ae2250cfe 100644
--- a/NEWS
+++ b/NEWS
@@ -94,6 +94,12 @@ New Functionality
   is available in the events: ``ssl_extension_pre_shared_key_client_hello``
   and ``ssl_extension_pre_shared_key_server_hello``.
 
+- Add support for vector slicing operations.  For example::
+
+    local v = vector(1, 2, 3, 4, 5);
+    v[2:4] = vector(6, 7, 8);        # v is now [1, 2, 6, 7, 8, 5]
+    print v[:4];                     # prints [1, 2, 6, 7]
+
 Changed Functionality
 ---------------------
 
diff --git a/src/Expr.cc b/src/Expr.cc
index ea8253e347..58963579fd 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3200,27 +3200,26 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 	switch ( v1->Type()->Tag() ) {
 	case TYPE_VECTOR:
 		{
-		const ListVal *lv = v2->AsListVal();
+		const ListVal* lv = v2->AsListVal();
 		VectorVal* v1_vect = v1->AsVectorVal();
 
 		if ( lv->Length() > 1 )
 			{
-			int len = v1_vect->Size();
+			auto len = v1_vect->Size();
 			bro_int_t first = get_slice_index(lv->Index(0)->CoerceToInt(), len);
 			bro_int_t last = get_slice_index(lv->Index(1)->CoerceToInt(), len);
 
 			// Remove the elements from the vector within the slice
-			for ( int idx = first; idx < last; idx++ )
+			for ( auto idx = first; idx < last; idx++ )
 				v1_vect->Remove(first);
 
 			// Insert the new elements starting at the first position
 			VectorVal* v_vect = v->AsVectorVal();
-			for ( int idx = 0; idx < v_vect->Size(); idx++, first++ )
-				{
+
+			for ( auto idx = 0u; idx < v_vect->Size(); idx++, first++ )
 				v1_vect->Insert(first, v_vect->Lookup(idx)->Ref());
-				}
 			}
-		else if ( !v1_vect->Assign(v2, v, op) )
+		else if ( ! v1_vect->Assign(v2, v, op) )
 			{
 			if ( v )
 				{
diff --git a/src/Val.cc b/src/Val.cc
index 0a6c7dd985..21a2d4a7db 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3417,6 +3417,7 @@ bool VectorVal::Insert(unsigned int index, Val* element)
 		}
 
 	vector<Val*>::iterator it;
+
 	if ( index < val.vector_val->size() )
 		it = std::next(val.vector_val->begin(), index);
 	else
diff --git a/src/Val.h b/src/Val.h
index 20302e3a9d..66ad7e907e 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -1197,8 +1197,8 @@ public:
 	// Insert an element at a specific position into the underlying vector.
 	bool Insert(unsigned int index, Val* element);
 
-	// Removes an element or a range of elements from a specific position.
-	bool Remove(unsigned int start_index);
+	// Removes an element at a specific position.
+	bool Remove(unsigned int index);
 
 protected:
 	friend class Val;
diff --git a/src/parse.y b/src/parse.y
index 07a544bb64..4c39ee191d 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -484,8 +484,10 @@ expr:
 			set_location(@1, @6);
 			Expr* low = $3 ? $3 : new ConstExpr(val_mgr->GetCount(0));
 			Expr* high = $5 ? $5 : new SizeExpr($1);
+
 			if ( ! IsIntegral(low->Type()->Tag()) || ! IsIntegral(high->Type()->Tag()) )
-				reporter->FatalError("slice notation must have integral values as indexes");
+				reporter->Error("slice notation must have integral values as indexes");
+
 			ListExpr* le = new ListExpr(low);
 			le->Append(high);
 			$$ = new IndexExpr($1, le, true);

From 385f500497589727e9b40a6b97b6bb68a119b13b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 18 Jun 2019 17:42:06 -0700
Subject: [PATCH 80/91] Fix memory leak in vector slice assignment

Two parts to this:

  * Only allow vector slice assignment in statement contexts, not in
    arbitrary assignment expressions.  E.g. it's not clear what the
    resulting value of `(v[1:2] = vector(1))` is for further expression
    chaining.  For reference, Python doesn't allow it either.

  * Add a subclass of AssignExpr to specialize the behavior for index
    slice assignments (because its behavior regarding expression
    chaining is different per the previous point) and Unref the RHS
    of things like `v[1:2] = vector(1)` after IndexExpr::Assign is
    finished inserting it (since no one else takes ownership of it).

Instead of using an Expr subclass, IndexSliceAssignExpr, we could
use a proper Stmt, since that's the only context we currently use it
for, but if we did ever to decide on allowing its use in arbitrary
expression contexts, then I expect we'll need it this way anyway
(just with a different IndexSliceAssignExpr::Eval implementation).
---
 src/Expr.cc                                   | 50 +++++++++++++++++--
 src/Expr.h                                    | 32 +++++++++++-
 src/SerialTypes.h                             |  1 +
 src/parse.y                                   | 48 ++++++++++++------
 testing/btest/core/leaks/vector-indexing.zeek | 30 +++++++++++
 5 files changed, 140 insertions(+), 21 deletions(-)
 create mode 100644 testing/btest/core/leaks/vector-indexing.zeek

diff --git a/src/Expr.cc b/src/Expr.cc
index 58963579fd..8f003de030 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -32,7 +32,7 @@ const char* expr_name(BroExprTag t)
 		"$=", "in", "<<>>",
 		"()", "event", "schedule",
 		"coerce", "record_coerce", "table_coerce",
-		"sizeof", "flatten", "cast", "is"
+		"sizeof", "flatten", "cast", "is", "[:]="
 	};
 
 	if ( int(t) >= NUM_EXPRS )
@@ -2905,8 +2905,46 @@ bool AssignExpr::DoUnserialize(UnserialInfo* info)
 	return UNSERIALIZE(&is_init);
 	}
 
-IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool is_slice)
-: BinaryExpr(EXPR_INDEX, arg_op1, arg_op2)
+IndexSliceAssignExpr::IndexSliceAssignExpr(Expr* op1, Expr* op2, int is_init)
+	: AssignExpr(op1, op2, is_init)
+	{
+	}
+
+Val* IndexSliceAssignExpr::Eval(Frame* f) const
+	{
+	if ( is_init )
+		{
+		RuntimeError("illegal assignment in initialization");
+		return 0;
+		}
+
+	Val* v = op2->Eval(f);
+
+	if ( v )
+		{
+		op1->Assign(f, v);
+		Unref(v);
+		}
+
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(IndexSliceAssignExpr, SER_INDEX_SLICE_ASSIGN_EXPR);
+
+bool IndexSliceAssignExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INDEX_SLICE_ASSIGN_EXPR, AssignExpr);
+	return true;
+	}
+
+bool IndexSliceAssignExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(AssignExpr);
+	return true;
+	}
+
+IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2, bool arg_is_slice)
+: BinaryExpr(EXPR_INDEX, arg_op1, arg_op2), is_slice(arg_is_slice)
 	{
 	if ( IsError() )
 		return;
@@ -3302,13 +3340,13 @@ IMPLEMENT_SERIAL(IndexExpr, SER_INDEX_EXPR);
 bool IndexExpr::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_INDEX_EXPR, BinaryExpr);
-	return true;
+	return SERIALIZE(is_slice);
 	}
 
 bool IndexExpr::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(BinaryExpr);
-	return true;
+	return UNSERIALIZE(&is_slice);
 	}
 
 FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
@@ -5747,6 +5785,8 @@ Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 	if ( op1->Type()->Tag() == TYPE_RECORD &&
 	     op2->Type()->Tag() == TYPE_LIST )
 		return new RecordAssignExpr(op1, op2, is_init);
+	else if ( op1->Tag() == EXPR_INDEX && op1->AsIndexExpr()->IsSlice() )
+		return new IndexSliceAssignExpr(op1, op2, is_init);
 	else
 		return new AssignExpr(op1, op2, is_init);
 	}
diff --git a/src/Expr.h b/src/Expr.h
index e268f07648..111cc20e60 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -49,7 +49,8 @@ typedef enum {
 	EXPR_FLATTEN,
 	EXPR_CAST,
 	EXPR_IS,
-#define NUM_EXPRS (int(EXPR_IS) + 1)
+	EXPR_INDEX_SLICE_ASSIGN,
+#define NUM_EXPRS (int(EXPR_INDEX_SLICE_ASSIGN) + 1)
 } BroExprTag;
 
 extern const char* expr_name(BroExprTag t);
@@ -58,6 +59,7 @@ class Stmt;
 class Frame;
 class ListExpr;
 class NameExpr;
+class IndexExpr;
 class AssignExpr;
 class CallExpr;
 class EventExpr;
@@ -187,6 +189,18 @@ public:
 		return (AssignExpr*) this;
 		}
 
+	const IndexExpr* AsIndexExpr() const
+		{
+		CHECK_TAG(tag, EXPR_INDEX, "ExprVal::AsIndexExpr", expr_name)
+		return (const IndexExpr*) this;
+		}
+
+	IndexExpr* AsIndexExpr()
+		{
+		CHECK_TAG(tag, EXPR_INDEX, "ExprVal::AsIndexExpr", expr_name)
+		return (IndexExpr*) this;
+		}
+
 	void Describe(ODesc* d) const override;
 
 	bool Serialize(SerialInfo* info) const;
@@ -663,6 +677,18 @@ protected:
 	Val* val;	// optional
 };
 
+class IndexSliceAssignExpr : public AssignExpr {
+public:
+	IndexSliceAssignExpr(Expr* op1, Expr* op2, int is_init);
+	Val* Eval(Frame* f) const override;
+
+protected:
+	friend class Expr;
+	IndexSliceAssignExpr() {}
+
+	DECLARE_SERIAL(IndexSliceAssignExpr);
+};
+
 class IndexExpr : public BinaryExpr {
 public:
 	IndexExpr(Expr* op1, ListExpr* op2, bool is_slice = false);
@@ -682,6 +708,8 @@ public:
 
 	TraversalCode Traverse(TraversalCallback* cb) const override;
 
+	bool IsSlice() const { return is_slice; }
+
 protected:
 	friend class Expr;
 	IndexExpr()	{ }
@@ -691,6 +719,8 @@ protected:
 	void ExprDescribe(ODesc* d) const override;
 
 	DECLARE_SERIAL(IndexExpr);
+
+	bool is_slice;
 };
 
 class FieldExpr : public UnaryExpr {
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index 029048a80f..a0b3f4231b 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -166,6 +166,7 @@ SERIAL_EXPR(CAST_EXPR, 45)
 SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
 SERIAL_EXPR(BIT_EXPR, 47)
 SERIAL_EXPR(COMPLEMENT_EXPR, 48)
+SERIAL_EXPR(INDEX_SLICE_ASSIGN_EXPR, 49)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
diff --git a/src/parse.y b/src/parse.y
index 4c39ee191d..48c8143f35 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -5,7 +5,7 @@
 // Switching parser table type fixes ambiguity problems.
 %define lr.type ielr
 
-%expect 103
+%expect 104
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@@ -57,7 +57,7 @@
 %type <ic> init_class
 %type <expr> opt_init
 %type <val> TOK_CONSTANT
-%type <expr> expr opt_expr init anonymous_function
+%type <expr> expr opt_expr init anonymous_function index_slice
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
 %type <type> type opt_type enum_body
@@ -464,6 +464,12 @@ expr:
 	|	expr '=' expr
 			{
 			set_location(@1, @3);
+
+			if ( $1->Tag() == EXPR_INDEX && $1->AsIndexExpr()->IsSlice() )
+				reporter->Error("index slice assignment may not be used"
+				                " in arbitrary expression contexts, only"
+				                " as a statement");
+
 			$$ = get_assign_expr($1, $3, in_init);
 			}
 
@@ -479,19 +485,7 @@ expr:
 			$$ = new IndexExpr($1, $3);
 			}
 
-	|	expr '[' opt_expr ':' opt_expr ']'
-			{
-			set_location(@1, @6);
-			Expr* low = $3 ? $3 : new ConstExpr(val_mgr->GetCount(0));
-			Expr* high = $5 ? $5 : new SizeExpr($1);
-
-			if ( ! IsIntegral(low->Type()->Tag()) || ! IsIntegral(high->Type()->Tag()) )
-				reporter->Error("slice notation must have integral values as indexes");
-
-			ListExpr* le = new ListExpr(low);
-			le->Append(high);
-			$$ = new IndexExpr($1, le, true);
-			}
+	|	index_slice
 
 	|	expr '$' TOK_ID
 			{
@@ -1271,6 +1265,21 @@ init:
 	|	expr
 	;
 
+index_slice:
+		expr '[' opt_expr ':' opt_expr ']'
+			{
+			set_location(@1, @6);
+			Expr* low = $3 ? $3 : new ConstExpr(val_mgr->GetCount(0));
+			Expr* high = $5 ? $5 : new SizeExpr($1);
+
+			if ( ! IsIntegral(low->Type()->Tag()) || ! IsIntegral(high->Type()->Tag()) )
+				reporter->Error("slice notation must have integral values as indexes");
+
+			ListExpr* le = new ListExpr(low);
+			le->Append(high);
+			$$ = new IndexExpr($1, le, true);
+			}
+
 opt_attr:
 		attr_list
 	|
@@ -1474,6 +1483,15 @@ stmt:
 			    brofiler.DecIgnoreDepth();
 			}
 
+	|	index_slice '=' expr ';' opt_no_test
+			{
+			set_location(@1, @4);
+			$$ = new ExprStmt(get_assign_expr($1, $3, in_init));
+
+			if ( ! $5 )
+				brofiler.AddStmt($$);
+			}
+
 	|	expr ';' opt_no_test
 			{
 			set_location(@1, @2);
diff --git a/testing/btest/core/leaks/vector-indexing.zeek b/testing/btest/core/leaks/vector-indexing.zeek
new file mode 100644
index 0000000000..540913bd08
--- /dev/null
+++ b/testing/btest/core/leaks/vector-indexing.zeek
@@ -0,0 +1,30 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: zeek  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run zeek zeek -m -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+global did_it = F;
+
+event new_connection(c: connection)
+	{
+	if ( did_it )
+		return;
+
+	did_it = T;
+
+	# Slicing tests.
+	local v17 = vector( 1, 2, 3, 4, 5 );
+	print v17[0:2];
+	print v17[-3:-1];
+	print v17[:2];
+	print v17[2:];
+	print v17[:];
+	v17[0:1] = vector(6);
+	v17[2:4] = vector(7, 8);
+	v17[2:4] = vector(9, 10, 11);
+	v17[2:5] = vector(9);
+	}

From 4eed36ea01de42b28fdb09fd5a001887d86821e5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 19 Jun 2019 09:28:15 -0700
Subject: [PATCH 81/91] Fix memory leak introduced by removing opaque of
 ocsp_resp.

---
 src/file_analysis/analyzer/x509/OCSP.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 69898143ce..6833d5d8de 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -176,6 +176,7 @@ bool file_analysis::OCSP::EndOfFile()
 			}
 
 		ParseResponse(resp);
+		OCSP_RESPONSE_free(resp);
 		}
 
 	return true;

From 028294183868d53c9aebe649469eb988855b0481 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Wed, 19 Jun 2019 15:12:56 -0400
Subject: [PATCH 82/91] Adding options field to RDP::ClientChannelDef Adding
 Client Cluster Data

---
 scripts/base/init-bare.zeek                |  9 +++-
 src/analyzer/protocol/rdp/events.bif       |  7 +++
 src/analyzer/protocol/rdp/rdp-analyzer.pac | 50 +++++++++++++++++-----
 src/analyzer/protocol/rdp/rdp-protocol.pac | 12 +++++-
 src/analyzer/protocol/rdp/types.bif        |  1 +
 5 files changed, 66 insertions(+), 13 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index f68bf3a545..6ed290fb2c 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4278,7 +4278,9 @@ export {
 	## Name and flags for a single channel requested by the client.
 	type RDP::ClientChannelDef: record {
 		## A unique name for the channel
-		name:           string;
+		name:           string;	
+		## Channel Def raw options as count
+		options:	int;
 		## Absence of this flag indicates that this channel is
 		## a placeholder and that the server MUST NOT set it up.
 		initialized:    bool;
@@ -4304,6 +4306,11 @@ export {
 		persistent:     bool;
 	};
 
+        type RDP::ClientClusterData: record {
+                flags:                  int;
+                redir_session_id:       int;
+        };
+
 	## The list of channels requested by the client.
 	type RDP::ClientChannelList: vector of ClientChannelDef;
 }
diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif
index 0931365dc6..91d2fc004a 100644
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@@ -49,6 +49,13 @@ event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
 ## channels: The channels that were requested
 event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%);
 
+## Generated for client clusgter data packets.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## data: The data contained in the client security data structure.
+event rdp_client_cluster_data%(c: connection, data: RDP::ClientClusterData%);
+
 ## Generated for MCS server responses.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 7b7552642f..d52c1153c5 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -130,18 +130,19 @@ refine flow RDP_Flow += {
 				RecordVal* channel_def = new RecordVal(BifType::Record::RDP::ClientChannelDef);
 
 				channel_def->Assign(0, bytestring_to_val(${cnetwork.channel_def_array[i].name}));
+				channel_def->Assign(1, val_mgr->GetCount(${cnetwork.channel_def_array[i].options}));
 
-				channel_def->Assign(1, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
-				channel_def->Assign(2, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
-				channel_def->Assign(3, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
-				channel_def->Assign(4, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
-				channel_def->Assign(5, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
-				channel_def->Assign(6, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
-				channel_def->Assign(7, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
-				channel_def->Assign(8, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
-				channel_def->Assign(9, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
-				channel_def->Assign(10, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
-				channel_def->Assign(11, val_mgr->GetBool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
+				channel_def->Assign(2, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
+				channel_def->Assign(3, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
+				channel_def->Assign(4, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
+				channel_def->Assign(5, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
+				channel_def->Assign(6, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
+				channel_def->Assign(7, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
+				channel_def->Assign(8, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
+				channel_def->Assign(9, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
+				channel_def->Assign(10, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
+				channel_def->Assign(11, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
+				channel_def->Assign(12, val_mgr->GetBool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
 
 				channels->Assign(channels->Size(), channel_def);
 				}
@@ -154,6 +155,29 @@ refine flow RDP_Flow += {
 		return true;
 		%}
 
+
+        function proc_rdp_client_cluster_data(ccluster: Client_Cluster_Data): bool
+                %{
+                if ( ! rdp_client_cluster_data )
+                        return false;
+
+                RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData);
+		ccld->Assign(0, val_mgr->GetCount(${ccluster.flags}));
+		ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id}));
+
+		ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED}));
+		ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
+		ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
+		ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD}));
+
+                BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(),
+                                                            connection()->bro_analyzer()->Conn(),
+                                                            ccld);
+                return true;
+                %}
+
+
+
 	function proc_rdp_server_security(ssd: Server_Security_Data): bool
 		%{
 		connection()->bro_analyzer()->ProtocolConfirmation();
@@ -226,6 +250,10 @@ refine typeattr Client_Network_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_network_data(this);
 };
 
+refine typeattr Client_Cluster_Data += &let {
+        proc: bool = $context.flow.proc_rdp_client_cluster_data(this);
+};
+
 refine typeattr GCC_Server_Create_Response += &let {
 	proc: bool = $context.flow.proc_rdp_gcc_server_create_response(this);
 };
diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac
index 442a0d1292..f10dcf0af4 100644
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@@ -54,7 +54,7 @@ type Data_Block = record {
 		0xc001  -> client_core:       Client_Core_Data;
 		0xc002  -> client_security:   Client_Security_Data;
 		0xc003  -> client_network:    Client_Network_Data;
-		#0xc004  -> client_cluster:    Client_Cluster_Data;
+		0xc004  -> client_cluster:    Client_Cluster_Data;
 		#0xc005  -> client_monitor:    Client_Monitor_Data;
 		#0xc006  -> client_msgchannel: Client_MsgChannel_Data;
 		#0xc008  -> client_monitor_ex: Client_MonitorExtended_Data;
@@ -230,6 +230,16 @@ type Client_Network_Data = record {
 	channel_def_array: Client_Channel_Def[channel_count];
 } &byteorder=littleendian;
 
+type Client_Cluster_Data = record {
+	flags: uint32;
+	redir_session_id: uint32;
+} &let {
+	REDIRECTION_SUPPORTED:				bool = redir_session_id & 0x00000001;
+	SERVER_SESSION_REDIRECTION_VERSION_MASK:	int = (redir_session_id & 0x0000003C);
+	REDIRECTED_SESSIONID_FIELD_VALID:		int = (redir_session_id & 0x00000002);
+	REDIRECTED_SMARTCARD:				bool = redir_session_id & 0x00000040;
+} &byteorder=littleendian;
+
 type Client_Channel_Def = record {
 	name:     bytestring &length=8;
 	options:  uint32;
diff --git a/src/analyzer/protocol/rdp/types.bif b/src/analyzer/protocol/rdp/types.bif
index 69cbe14dd3..366676d017 100644
--- a/src/analyzer/protocol/rdp/types.bif
+++ b/src/analyzer/protocol/rdp/types.bif
@@ -5,6 +5,7 @@ type EarlyCapabilityFlags: record;
 type ClientCoreData: record;
 
 type ClientSecurityData: record;
+type ClientClusterData: record;
 
 type ClientChannelList: vector;
 type ClientChannelDef: record;

From bd0bf3f84f12cb69a13c010431d0933807c426e2 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Wed, 19 Jun 2019 16:10:29 -0400
Subject: [PATCH 83/91] Removing misc data from Client Cluster data trying to
 assign values.

---
 src/analyzer/protocol/rdp/rdp-analyzer.pac | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index d52c1153c5..3007529f98 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -165,11 +165,6 @@ refine flow RDP_Flow += {
 		ccld->Assign(0, val_mgr->GetCount(${ccluster.flags}));
 		ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id}));
 
-		ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED}));
-		ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
-		ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
-		ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD}));
-
                 BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(),
                                                             connection()->bro_analyzer()->Conn(),
                                                             ccld);

From 3648b1465e099c92d4ab2230f56fdcb0345c5c87 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 19 Jun 2019 19:44:00 -0700
Subject: [PATCH 84/91] Updating submodule(s).

 [nomail]
---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index f594b66f7a..9926886afc 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit f594b66f7a3e3ca6735220ea39c432df4c1171c4
+Subproject commit 9926886afcc23f61b06d1361e35cc99a8f993911

From 7b42c3a201b2695d4cf997e69aa5564f9c516fc8 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 20 Jun 2019 09:32:37 -0400
Subject: [PATCH 85/91] Correcting types.

---
 scripts/base/init-bare.zeek          | 6 +++---
 src/analyzer/protocol/rdp/events.bif | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 6ed290fb2c..f40b1a6fbe 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4280,7 +4280,7 @@ export {
 		## A unique name for the channel
 		name:           string;	
 		## Channel Def raw options as count
-		options:	int;
+		options:	count;
 		## Absence of this flag indicates that this channel is
 		## a placeholder and that the server MUST NOT set it up.
 		initialized:    bool;
@@ -4307,8 +4307,8 @@ export {
 	};
 
         type RDP::ClientClusterData: record {
-                flags:                  int;
-                redir_session_id:       int;
+                flags:                  count;
+                redir_session_id:       count;
         };
 
 	## The list of channels requested by the client.
diff --git a/src/analyzer/protocol/rdp/events.bif b/src/analyzer/protocol/rdp/events.bif
index 91d2fc004a..178860bd42 100644
--- a/src/analyzer/protocol/rdp/events.bif
+++ b/src/analyzer/protocol/rdp/events.bif
@@ -49,7 +49,7 @@ event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
 ## channels: The channels that were requested
 event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%);
 
-## Generated for client clusgter data packets.
+## Generated for client cluster data packets.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
 ##

From 3a19af86c59509f35dd16bb199e75a707c628202 Mon Sep 17 00:00:00 2001
From: jatkinosn <jeff.atkinosn@verizonmedia.com>
Date: Thu, 20 Jun 2019 10:47:05 -0400
Subject: [PATCH 86/91] Fixing types.

Added handling for fields sub fields.

Added test script and output.
---
 scripts/base/init-bare.zeek                   |  8 ++++--
 src/analyzer/protocol/rdp/rdp-analyzer.pac    |  4 +++
 src/analyzer/protocol/rdp/rdp-protocol.pac    |  4 +--
 .../out                                       | 12 ++++++++
 .../rdp/rdp-client-cluster-data.zeek          | 28 +++++++++++++++++++
 5 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
 create mode 100644 testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index f40b1a6fbe..728077e062 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4307,8 +4307,12 @@ export {
 	};
 
         type RDP::ClientClusterData: record {
-                flags:                  count;
-                redir_session_id:       count;
+                flags:                  		count;
+                redir_session_id:       		count;
+		redir_supported:			bool;
+		svr_session_redir_version_mask:		count;
+		redir_sessionid_field_valid:		count;
+		redir_smartcard:			bool;
         };
 
 	## The list of channels requested by the client.
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 3007529f98..2355ceab79 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -164,6 +164,10 @@ refine flow RDP_Flow += {
                 RecordVal* ccld = new RecordVal(BifType::Record::RDP::ClientClusterData);
 		ccld->Assign(0, val_mgr->GetCount(${ccluster.flags}));
 		ccld->Assign(1, val_mgr->GetCount(${ccluster.redir_session_id}));
+ 		ccld->Assign(2, val_mgr->GetBool(${ccluster.REDIRECTION_SUPPORTED}));
+ 		ccld->Assign(3, val_mgr->GetCount(${ccluster.SERVER_SESSION_REDIRECTION_VERSION_MASK}));
+ 		ccld->Assign(4, val_mgr->GetCount(${ccluster.REDIRECTED_SESSIONID_FIELD_VALID}));
+ 		ccld->Assign(5, val_mgr->GetBool(${ccluster.REDIRECTED_SMARTCARD}));
 
                 BifEvent::generate_rdp_client_cluster_data(connection()->bro_analyzer(),
                                                             connection()->bro_analyzer()->Conn(),
diff --git a/src/analyzer/protocol/rdp/rdp-protocol.pac b/src/analyzer/protocol/rdp/rdp-protocol.pac
index f10dcf0af4..bcf5e89a2e 100644
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@@ -235,8 +235,8 @@ type Client_Cluster_Data = record {
 	redir_session_id: uint32;
 } &let {
 	REDIRECTION_SUPPORTED:				bool = redir_session_id & 0x00000001;
-	SERVER_SESSION_REDIRECTION_VERSION_MASK:	int = (redir_session_id & 0x0000003C);
-	REDIRECTED_SESSIONID_FIELD_VALID:		int = (redir_session_id & 0x00000002);
+	SERVER_SESSION_REDIRECTION_VERSION_MASK:	uint8 = (redir_session_id & 0x0000003C);
+	REDIRECTED_SESSIONID_FIELD_VALID:		uint8 = (redir_session_id & 0x00000002);
 	REDIRECTED_SMARTCARD:				bool = redir_session_id & 0x00000040;
 } &byteorder=littleendian;
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
new file mode 100644
index 0000000000..53973a2324
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-client-cluster_data/out
@@ -0,0 +1,12 @@
+RDP Client Cluster Data
+Flags: 0000000d
+RedirSessionId: 00000000
+Redirection Supported: 00000000
+ServerSessionRedirectionVersionMask: 00000000
+RedirectionSessionIDFieldValid: 00000000
+RedirectedSmartCard: 00000000
+RDP Client Channel List Options
+80800000
+c0000000
+c0800000
+c0a00000
diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
new file mode 100644
index 0000000000..97a711209a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-client-cluster-data.zeek
@@ -0,0 +1,28 @@
+# @TEST-EXEC: zeek -r $TRACES/rdp/rdp-proprietary-encryption.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocol/rdp
+
+
+event rdp_client_cluster_data(c: connection, data: RDP::ClientClusterData)
+{
+print "RDP Client Cluster Data";
+#print data;
+print fmt("Flags: %08x",data$flags);
+print fmt("RedirSessionId: %08x",data$redir_session_id);
+print fmt("Redirection Supported: %08x",data$redir_supported);
+print fmt("ServerSessionRedirectionVersionMask: %08x",data$svr_session_redir_version_mask);
+print fmt("RedirectionSessionIDFieldValid: %08x",data$redir_sessionid_field_valid);
+print fmt("RedirectedSmartCard: %08x",data$redir_smartcard);
+
+}
+
+
+event rdp_client_network_data(c: connection, channels: RDP::ClientChannelList)
+{
+print "RDP Client Channel List Options";
+for ( i in channels ) {
+    print fmt("%08x", channels[i]$options);
+  }
+}
+

From 437520f45f5da333e8755212ff09f88bf2c9665b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 20 Jun 2019 11:19:17 -0700
Subject: [PATCH 87/91] Make configure complain if submodules are not checked
 out.

Since people forgetting to checkout submodules is such a common failure
case - update configure to give an error message is the cmake directory
seems to be missing.

This just checks for the presence of cmake/COPYING when a .git directory
is found; if cmake/COPYING is not present an error message is displayed.
---
 configure | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/configure b/configure
index ec344d808f..e6b4e1f0b5 100755
--- a/configure
+++ b/configure
@@ -106,6 +106,20 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
 sourcedir="$( cd "$( dirname "$0" )" && pwd )"
 
+if [ ! -e "$sourcedir/cmake/COPYING" ] && [ -d "$sourcedir/.git" ]; then
+    echo "\
+You seem to be missing the content of the cmake directory.
+
+This typically means that you performed a non-recursive git clone of
+Zeek. To check out the required subdirectories, please execute
+
+ git submodule update --recursive --init
+
+in $sourcedir.
+" >&2;
+    exit 1;
+fi
+
 # Function to append a CMake cache entry definition to the
 # CMakeCacheEntries variable.
 #   $1 is the cache entry variable name

From b9d3d4d63b80044d573ff3dbbe06789df3b82953 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 20 Jun 2019 14:00:22 -0700
Subject: [PATCH 88/91] Remove unused SerialInfo.h and SerialTypes.h headers

---
 CHANGES           |   4 +
 VERSION           |   2 +-
 src/SerialInfo.h  | 160 -------------------------------
 src/SerialTypes.h | 236 ----------------------------------------------
 4 files changed, 5 insertions(+), 397 deletions(-)
 delete mode 100644 src/SerialInfo.h
 delete mode 100644 src/SerialTypes.h

diff --git a/CHANGES b/CHANGES
index 2ffd5506ba..03c4affe55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-477 | 2019-06-20 14:00:22 -0700
+
+  * Remove unused SerialInfo.h and SerialTypes.h headers (Jon Siwek, Corelight)
+
 2.6-476 | 2019-06-20 13:23:22 -0700
 
   * Remove opaque of ocsp_resp. (Johanna Amann, Corelight)
diff --git a/VERSION b/VERSION
index 2c31edab5c..6aee059b51 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-476
+2.6-477
diff --git a/src/SerialInfo.h b/src/SerialInfo.h
deleted file mode 100644
index 04cd79daf7..0000000000
--- a/src/SerialInfo.h
+++ /dev/null
@@ -1,160 +0,0 @@
-// Helper classes to pass data between serialization methods.
-
-#ifndef serialinfo_h
-#define serialinfo_h
-
-class SerialInfo {
-public:
-	SerialInfo(Serializer* arg_s)
-		{
-		s = arg_s;
-		may_suspend = clear_containers = false;
-		cache = globals_as_names = true;
-		type = SER_NONE;
-		pid_32bit = false;
-		include_locations = true;
-		new_cache_strategy = false;
-		}
-
-	SerialInfo(const SerialInfo& info)
-		{
-		s = info.s;
-		may_suspend = info.may_suspend;
-		cache = info.cache;
-		type = info.type;
-		clear_containers = info.clear_containers;
-		globals_as_names = info.globals_as_names;
-		pid_32bit = info.pid_32bit;
-		include_locations = info.include_locations;
-		new_cache_strategy = info.new_cache_strategy;
-		}
-
-	// Parameters that control serialization.
-	Serializer* s;	// serializer to use
-	bool cache;	// true if object caching is ok
-	bool may_suspend;	// if true, suspending serialization is ok
-	bool clear_containers;	// if true, store container values as empty
-	bool include_locations;	// if true, include locations in serialization
-
-	// If true, for NameExpr's serialize just the names of globals, just
-	// their value.
-	bool globals_as_names;
-
-	bool pid_32bit;	// if true, use old-style 32-bit permanent IDs
-
-	// If true, we support keeping objs in cache permanently.
-	bool new_cache_strategy;
-
-	// Attributes set during serialization.
-	SerialType type;	// type of currently serialized object
-
-	// State for suspending/resuming serialization
-	Continuation cont;
-};
-
-class UnserialInfo {
-public:
-	UnserialInfo(Serializer* arg_s)
-		{
-		s = arg_s;
-		cache = true;
-		type = SER_NONE;
-		install_globals = install_conns = true;
-		install_uniques = false;
-		ignore_callbacks = false;
-		id_policy = Replace;
-		print = 0;
-		pid_32bit = false;
-		new_cache_strategy = false;
-		}
-
-	UnserialInfo(const UnserialInfo& info)
-		{
-		s = info.s;
-		cache = info.cache;
-		type = info.type;
-		install_globals = info.install_globals;
-		install_uniques = info.install_uniques;
-		install_conns = info.install_conns;
-		ignore_callbacks = info.ignore_callbacks;
-		id_policy = info.id_policy;
-		print = info.print;
-		pid_32bit = info.pid_32bit;
-		new_cache_strategy = info.new_cache_strategy;
-		}
-
-	// Parameters that control unserialization.
-	Serializer* s;	// serializer to use
-	bool cache;	// if true,  object caching is ok
-	FILE* print;	// print read objects to given file (human-readable)
-
-	bool install_globals;	// if true, install unknown globals
-				// in global scope
-	bool install_conns;	// if true, add connections to session table
-	bool install_uniques;	// if true, install unknown globally
-				// unique IDs in global scope
-	bool ignore_callbacks;	// if true, don't call Got*() callbacks
-	bool pid_32bit; // if true, use old-style 32-bit permanent IDs.
-
-	// If true, we support keeping objs in cache permanently.
-	bool new_cache_strategy;
-
-	// If a global ID already exits, of these policies is used.
-	enum {
-		Keep,	// keep the old ID and ignore the new
-		Replace,	// install the new ID (default)
-
-		// Keep current ID instance but copy the new value into it
-		// (types have to match).
-		CopyNewToCurrent,
-
-		// Install the new ID instance but replace its value
-		// with that of the old one (types have to match).
-		CopyCurrentToNew,
-
-		// Instantiate a new ID, but do not insert it into the global
-		// space.
-		InstantiateNew,
-	} id_policy;
-
-	// Attributes set during unserialization.
-	SerialType type;	// type of currently unserialized object
-};
-
-// Helper class to temporarily disable suspending for all next-level calls
-// using the given SerialInfo.  It saves the current value of info.may_suspend
-// and then sets it to false.  When it goes out of scope, the original value
-// is restored.
-//
-// We need this because not all classes derived from SerialObj are
-// suspension-aware yet, i.e., they don't work correctly if one of the
-// next-level functions suspends. Eventually this may change, but actually
-// it's not very important: most classes don't need to suspend anyway as
-// their data volume is very small.  We have to make sure though that those
-// which do (e.g. TableVals) support suspension.
-class DisableSuspend {
-public:
-	DisableSuspend(SerialInfo* arg_info)
-		{
-		info = arg_info;
-		old_may_suspend = info->may_suspend;
-		info->may_suspend = false;
-		}
-
-	~DisableSuspend()	{ Restore(); }
-
-	void Release()	{ info = 0; }
-
-	// Restores the suspension-state to its original value.
-	void Restore()
-		{
-		if ( info )
-			info->may_suspend = old_may_suspend;
-		}
-
-private:
-	SerialInfo* info;
-	bool old_may_suspend;
-};
-
-#endif
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
deleted file mode 100644
index a0b3f4231b..0000000000
--- a/src/SerialTypes.h
+++ /dev/null
@@ -1,236 +0,0 @@
-#ifndef serialtypes_h
-#define serialtypes_h
-
-// Each serializable class gets a type.
-//
-// The type enables a form of poor man's type-checking:
-//     Bit 0-7:  Number (unique relative to main parent (see below)).
-//     Bit 8-12: Main parent class (SER_IS_*)
-//     Bit 13:   unused
-//     Bit 14:   1 if preference is to keep in cache.
-//     Bit 15:   1 if derived from BroObj.
-
-typedef uint16 SerialType;
-
-static const SerialType SER_TYPE_MASK_EXACT = 0x1fff;
-static const SerialType SER_TYPE_MASK_PARENT = 0x1f00;
-static const SerialType SER_IS_CACHE_STABLE = 0x4000;
-static const SerialType SER_IS_BRO_OBJ = 0x8000;
-
-#define SERIAL_CONST(name, val, type) \
-	const SerialType SER_ ## name = val | SER_IS_ ## type;
-
-#define SERIAL_CONST2(name) SERIAL_CONST(name, 1, name)
-
-#define SERIAL_IS(name, val) \
-	static const SerialType SER_IS_ ## name = val;
-#define SERIAL_IS_BO(name, val) \
-	static const SerialType SER_IS_ ## name = val | SER_IS_BRO_OBJ;
-#define SERIAL_IS_BO_AND_CACHE_STABLE(name, val) \
-	static const SerialType SER_IS_ ## name = val | (SER_IS_BRO_OBJ | SER_IS_CACHE_STABLE);
-
-SERIAL_IS_BO(CONNECTION, 0x0100)
-SERIAL_IS(TIMER, 0x0200)
-SERIAL_IS(TCP_ENDPOINT, 0x0300)
-SERIAL_IS_BO(TCP_ANALYZER, 0x0400)
-SERIAL_IS_BO(TCP_ENDPOINT_ANALYZER, 0x0500)
-SERIAL_IS(TCP_CONTENTS, 0x0600)
-SERIAL_IS(REASSEMBLER, 0x0700)
-SERIAL_IS_BO(VAL, 0x0800)
-SERIAL_IS_BO_AND_CACHE_STABLE(EXPR, 0x0900)
-SERIAL_IS_BO_AND_CACHE_STABLE(BRO_TYPE, 0x0a00)
-SERIAL_IS_BO_AND_CACHE_STABLE(STMT, 0x0b00)
-SERIAL_IS_BO_AND_CACHE_STABLE(ATTRIBUTES, 0x0c00)
-SERIAL_IS_BO_AND_CACHE_STABLE(EVENT_HANDLER, 0x0d00)
-SERIAL_IS_BO_AND_CACHE_STABLE(BRO_FILE, 0x0e00)
-SERIAL_IS_BO_AND_CACHE_STABLE(FUNC, 0x0f00)
-SERIAL_IS_BO(ID, 0x1000)
-SERIAL_IS(STATE_ACCESS, 0x1100)
-SERIAL_IS_BO(CASE, 0x1200)
-SERIAL_IS(LOCATION, 0x1300)
-SERIAL_IS(RE_MATCHER, 0x1400)
-SERIAL_IS(BITVECTOR, 0x1500)
-SERIAL_IS(COUNTERVECTOR, 0x1600)
-SERIAL_IS(BLOOMFILTER, 0x1700)
-SERIAL_IS(HASHER, 0x1800)
-
-// These are the externally visible types.
-const SerialType SER_NONE = 0;
-
-SERIAL_CONST2(BRO_OBJ)
-
-#define SERIAL_CONN(name, val) SERIAL_CONST(name, val, CONNECTION)
-SERIAL_CONN(CONNECTION, 1)
-SERIAL_CONN(ICMP_ANALYZER, 2)
-// We use ICMP_Echo here rather than ICMP_ECHO because the latter gets
-// macro expanded :-(.
-SERIAL_CONN(ICMP_Echo, 3)
-SERIAL_CONN(ICMP_CONTEXT, 4)
-SERIAL_CONN(TCP_CONNECTION, 5)
-SERIAL_CONN(TCP_CONNECTION_CONTENTS, 6)
-SERIAL_CONN(FTP_CONN, 7)
-SERIAL_CONN(UDP_CONNECTION, 8)
-
-#define SERIAL_TIMER(name, val) SERIAL_CONST(name, val, TIMER)
-SERIAL_TIMER(TIMER, 1)
-SERIAL_TIMER(CONNECTION_TIMER, 2)
-
-SERIAL_CONST2(TCP_ENDPOINT)
-SERIAL_CONST2(TCP_ANALYZER)
-SERIAL_CONST2(TCP_ENDPOINT_ANALYZER)
-
-#define SERIAL_TCP_CONTENTS(name, val) SERIAL_CONST(name, val, TCP_CONTENTS)
-SERIAL_TCP_CONTENTS(TCP_CONTENTS, 1)
-SERIAL_TCP_CONTENTS(TCP_CONTENT_LINE, 2)
-SERIAL_TCP_CONTENTS(TCP_NVT, 3)
-
-#define SERIAL_REASSEMBLER(name, val) SERIAL_CONST(name, val, REASSEMBLER)
-SERIAL_REASSEMBLER(REASSEMBLER, 1)
-SERIAL_REASSEMBLER(TCP_REASSEMBLER, 2)
-SERIAL_REASSEMBLER(FILE_REASSEMBLER, 3)
-
-#define SERIAL_VAL(name, val) SERIAL_CONST(name, val, VAL)
-SERIAL_VAL(VAL, 1)
-SERIAL_VAL(INTERVAL_VAL,  2)
-SERIAL_VAL(PORT_VAL, 3)
-SERIAL_VAL(ADDR_VAL, 4)
-SERIAL_VAL(SUBNET_VAL, 5)
-SERIAL_VAL(STRING_VAL, 6)
-SERIAL_VAL(PATTERN_VAL, 7)
-SERIAL_VAL(LIST_VAL, 8)
-SERIAL_VAL(TABLE_VAL, 9)
-SERIAL_VAL(RECORD_VAL, 10)
-SERIAL_VAL(ENUM_VAL, 11)
-SERIAL_VAL(VECTOR_VAL, 12)
-SERIAL_VAL(MUTABLE_VAL, 13)
-SERIAL_VAL(OPAQUE_VAL, 14)
-SERIAL_VAL(HASH_VAL, 15)
-SERIAL_VAL(MD5_VAL, 16)
-SERIAL_VAL(SHA1_VAL, 17)
-SERIAL_VAL(SHA256_VAL, 18)
-SERIAL_VAL(ENTROPY_VAL, 19)
-SERIAL_VAL(TOPK_VAL, 20)
-SERIAL_VAL(BLOOMFILTER_VAL, 21)
-SERIAL_VAL(CARDINALITY_VAL, 22)
-SERIAL_VAL(X509_VAL, 23)
-SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
-SERIAL_VAL(COMM_DATA_VAL, 25)
-SERIAL_VAL(OCSP_RESP_VAL, 26)
-
-#define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
-SERIAL_EXPR(EXPR, 1)
-SERIAL_EXPR(NAME_EXPR, 2)
-SERIAL_EXPR(CONST_EXPR, 3)
-SERIAL_EXPR(UNARY_EXPR, 4)
-SERIAL_EXPR(BINARY_EXPR, 5)
-SERIAL_EXPR(INCR_EXPR, 6)
-SERIAL_EXPR(NOT_EXPR, 7)
-SERIAL_EXPR(POS_EXPR, 8)
-SERIAL_EXPR(NEG_EXPR, 9)
-SERIAL_EXPR(ADD_EXPR, 10)
-SERIAL_EXPR(SUB_EXPR, 11)
-SERIAL_EXPR(TIMES_EXPR, 12)
-SERIAL_EXPR(DIVIDE_EXPR, 13)
-SERIAL_EXPR(MOD_EXPR, 14)
-SERIAL_EXPR(BOOL_EXPR, 15)
-SERIAL_EXPR(EQ_EXPR, 16)
-SERIAL_EXPR(REL_EXPR, 17)
-SERIAL_EXPR(COND_EXPR, 18)
-SERIAL_EXPR(REF_EXPR, 19)
-SERIAL_EXPR(ASSIGN_EXPR, 20)
-SERIAL_EXPR(INDEX_EXPR, 21)
-SERIAL_EXPR(FIELD_EXPR, 22)
-SERIAL_EXPR(HAS_FIELD_EXPR, 23)
-SERIAL_EXPR(RECORD_CONSTRUCTOR_EXPR, 24)
-SERIAL_EXPR(FIELD_ASSIGN_EXPR, 25)
-// There used to be a SERIAL_EXPR(RECORD_MATCH_EXPR, 26) here
-SERIAL_EXPR(ARITH_COERCE_EXPR, 27)
-SERIAL_EXPR(RECORD_COERCE_EXPR, 28)
-SERIAL_EXPR(FLATTEN_EXPR, 29)
-SERIAL_EXPR(SCHEDULE_EXPR, 30)
-SERIAL_EXPR(IN_EXPR, 31)
-SERIAL_EXPR(CALL_EXPR, 32)
-SERIAL_EXPR(EVENT_EXPR, 33)
-SERIAL_EXPR(LIST_EXPR, 34)
-SERIAL_EXPR(RECORD_ASSIGN_EXPR, 35)
-SERIAL_EXPR(ADD_TO_EXPR, 36)
-SERIAL_EXPR(REMOVE_FROM_EXPR, 37)
-SERIAL_EXPR(SIZE_EXPR, 38)
-SERIAL_EXPR(CLONE_EXPR, 39)
-SERIAL_EXPR(TABLE_CONSTRUCTOR_EXPR, 40)
-SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
-SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
-SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
-SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
-SERIAL_EXPR(CAST_EXPR, 45)
-SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
-SERIAL_EXPR(BIT_EXPR, 47)
-SERIAL_EXPR(COMPLEMENT_EXPR, 48)
-SERIAL_EXPR(INDEX_SLICE_ASSIGN_EXPR, 49)
-
-#define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
-SERIAL_STMT(STMT, 1)
-SERIAL_STMT(EXPR_LIST_STMT, 2)
-// There used to be ALARM_STMT (3) here.
-SERIAL_STMT(PRINT_STMT, 4)
-SERIAL_STMT(EXPR_STMT, 5)
-SERIAL_STMT(IF_STMT, 6)
-SERIAL_STMT(SWITCH_STMT, 7)
-SERIAL_STMT(ADD_STMT, 8)
-SERIAL_STMT(DEL_STMT, 9)
-SERIAL_STMT(EVENT_STMT, 10)
-SERIAL_STMT(FOR_STMT, 11)
-SERIAL_STMT(NEXT_STMT, 12)
-SERIAL_STMT(BREAK_STMT, 13)
-SERIAL_STMT(RETURN_STMT, 14)
-SERIAL_STMT(STMT_LIST, 15)
-SERIAL_STMT(EVENT_BODY_LIST, 16)
-SERIAL_STMT(INIT_STMT, 17)
-SERIAL_STMT(NULL_STMT, 18)
-SERIAL_STMT(WHEN_STMT, 19)
-SERIAL_STMT(FALLTHROUGH_STMT, 20)
-SERIAL_STMT(WHILE_STMT, 21)
-
-#define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE)
-SERIAL_TYPE(BRO_TYPE, 1)
-SERIAL_TYPE(TYPE_LIST, 2)
-SERIAL_TYPE(INDEX_TYPE, 3)
-SERIAL_TYPE(TABLE_TYPE, 4)
-SERIAL_TYPE(SET_TYPE, 5)
-SERIAL_TYPE(FUNC_TYPE, 6)
-SERIAL_TYPE(RECORD_TYPE, 7)
-SERIAL_TYPE(SUBNET_TYPE, 8)
-SERIAL_TYPE(FILE_TYPE, 9)
-SERIAL_TYPE(ENUM_TYPE, 10)
-SERIAL_TYPE(VECTOR_TYPE, 11)
-SERIAL_TYPE(OPAQUE_TYPE, 12)
-
-SERIAL_CONST2(ATTRIBUTES)
-SERIAL_CONST2(EVENT_HANDLER)
-SERIAL_CONST2(BRO_FILE)
-
-#define SERIAL_FUNC(name, val) SERIAL_CONST(name, val, FUNC)
-SERIAL_FUNC(FUNC, 1)
-SERIAL_FUNC(BRO_FUNC, 2)
-SERIAL_FUNC(DEBUG_FUNC, 3)
-SERIAL_FUNC(BUILTIN_FUNC, 4)
-
-#define SERIAL_BLOOMFILTER(name, val) SERIAL_CONST(name, val, BLOOMFILTER)
-SERIAL_BLOOMFILTER(BLOOMFILTER, 1)
-SERIAL_BLOOMFILTER(BASICBLOOMFILTER, 2)
-SERIAL_BLOOMFILTER(COUNTINGBLOOMFILTER, 3)
-
-#define SERIAL_HASHER(name, val) SERIAL_CONST(name, val, HASHER)
-SERIAL_HASHER(HASHER, 1)
-SERIAL_HASHER(DEFAULTHASHER, 2)
-SERIAL_HASHER(DOUBLEHASHER, 3)
-
-SERIAL_CONST2(ID)
-SERIAL_CONST2(STATE_ACCESS)
-SERIAL_CONST2(CASE)
-SERIAL_CONST2(LOCATION)
-SERIAL_CONST2(RE_MATCHER)
-SERIAL_CONST2(BITVECTOR)
-SERIAL_CONST2(COUNTERVECTOR)
-
-#endif

From 61d19d25e18cff3f5e050331f0a752d309c898f7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 20 Jun 2019 14:19:11 -0700
Subject: [PATCH 89/91] Remove old Broccoli SSL options

- ssl_ca_certificate
- ssl_private_key
- ssl_passphrase
---
 CHANGES                     |  8 ++++++++
 NEWS                        |  3 +++
 VERSION                     |  2 +-
 doc                         |  2 +-
 scripts/base/init-bare.zeek | 16 ----------------
 src/NetVar.cc               |  8 --------
 src/NetVar.h                |  4 ----
 7 files changed, 13 insertions(+), 30 deletions(-)

diff --git a/CHANGES b/CHANGES
index 03c4affe55..115d0ef359 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.6-478 | 2019-06-20 14:19:11 -0700
+
+  * Remove old Broccoli SSL options (Jon Siwek, Corelight)
+
+    - ssl_ca_certificate
+    - ssl_private_key
+    - ssl_passphrase
+
 2.6-477 | 2019-06-20 14:00:22 -0700
 
   * Remove unused SerialInfo.h and SerialTypes.h headers (Jon Siwek, Corelight)
diff --git a/NEWS b/NEWS
index 197419c97d..85c01507a4 100644
--- a/NEWS
+++ b/NEWS
@@ -418,6 +418,9 @@ Removed Functionality
     - ``log_encryption_key``
     - ``state_dir``
     - ``state_write_delay``
+    - ``ssl_ca_certificate``
+    - ``ssl_private_key``
+    - ``ssl_passphrase``
 
 - The following constants were used as part of deprecated functionality in version 2.6
   or below and are removed from this release:
diff --git a/VERSION b/VERSION
index 6aee059b51..97bdea11c7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-477
+2.6-478
diff --git a/doc b/doc
index e5b95022ff..a5f2286834 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit e5b95022ffa68ddf4645228d123cf1ea73a55186
+Subproject commit a5f2286834e404df5eb8291fe078732c6b5763ab
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index f68bf3a545..1a57375d4c 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -4710,22 +4710,6 @@ const report_gaps_for_partial = F &redef;
 ## controlled for reproducing results.
 const exit_only_after_terminate = F &redef;
 
-## The CA certificate file to authorize remote Zeeks/Broccolis.
-##
-## .. zeek:see:: ssl_private_key ssl_passphrase
-const ssl_ca_certificate = "<undefined>" &redef;
-
-## File containing our private key and our certificate.
-##
-## .. zeek:see:: ssl_ca_certificate ssl_passphrase
-const ssl_private_key = "<undefined>" &redef;
-
-## The passphrase for our private key. Keeping this undefined
-## causes Zeek to prompt for the passphrase.
-##
-## .. zeek:see:: ssl_private_key ssl_ca_certificate
-const ssl_passphrase = "<undefined>" &redef;
-
 ## Default mode for Zeek's user-space dynamic packet filter. If true, packets
 ## that aren't explicitly allowed through, are dropped from any further
 ## processing.
diff --git a/src/NetVar.cc b/src/NetVar.cc
index b9230bece7..3ed77ea277 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -165,10 +165,6 @@ StringVal* log_rotate_base_time;
 StringVal* peer_description;
 bro_uint_t chunked_io_buffer_soft_cap;
 
-StringVal* ssl_ca_certificate;
-StringVal* ssl_private_key;
-StringVal* ssl_passphrase;
-
 Val* profiling_file;
 double profiling_interval;
 int expensive_profiling_multiple;
@@ -244,10 +240,6 @@ void init_general_global_var()
 		internal_val("peer_description")->AsStringVal();
 	chunked_io_buffer_soft_cap = opt_internal_unsigned("chunked_io_buffer_soft_cap");
 
-	ssl_ca_certificate = internal_val("ssl_ca_certificate")->AsStringVal();
-	ssl_private_key = internal_val("ssl_private_key")->AsStringVal();
-	ssl_passphrase = internal_val("ssl_passphrase")->AsStringVal();
-
 	packet_filter_default = opt_internal_int("packet_filter_default");
 
 	sig_max_group_size = opt_internal_int("sig_max_group_size");
diff --git a/src/NetVar.h b/src/NetVar.h
index 9fa4d75fa6..cbb08a1306 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -168,10 +168,6 @@ extern StringVal* log_rotate_base_time;
 extern StringVal* peer_description;
 extern bro_uint_t chunked_io_buffer_soft_cap;
 
-extern StringVal* ssl_ca_certificate;
-extern StringVal* ssl_private_key;
-extern StringVal* ssl_passphrase;
-
 extern Val* profiling_file;
 extern double profiling_interval;
 extern int expensive_profiling_multiple;

From aefd9322fdef9c1a34ef18de9fe720ddc73ae066 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 20 Jun 2019 18:31:58 -0700
Subject: [PATCH 90/91] Fix TableVal::DoClone to use CloneState cache

---
 CHANGES                                  |  4 +++
 VERSION                                  |  2 +-
 src/Val.cc                               |  2 +-
 src/Val.h                                |  7 +++--
 testing/btest/Baseline/language.copy/out |  3 +++
 testing/btest/language/copy.zeek         | 33 +++++++++++++++++++-----
 6 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 115d0ef359..516943f29d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.6-479 | 2019-06-20 18:31:58 -0700
+
+  * Fix TableVal::DoClone to use CloneState cache (Jon Siwek, Corelight)
+
 2.6-478 | 2019-06-20 14:19:11 -0700
 
   * Remove old Broccoli SSL options (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 97bdea11c7..6802e60598 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-478
+2.6-479
diff --git a/src/Val.cc b/src/Val.cc
index 409268d801..04e08feb61 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -2181,7 +2181,7 @@ Val* TableVal::DoClone(CloneState* state)
 	TableEntryVal* val;
 	while ( (val = tbl->NextEntry(key, cookie)) )
 		{
-		TableEntryVal* nval = val->Clone();
+		TableEntryVal* nval = val->Clone(state);
 		tv->AsNonConstTable()->Insert(key, nval);
 
 		if ( subnets )
diff --git a/src/Val.h b/src/Val.h
index 8168113acd..4d76ccc804 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -3,8 +3,6 @@
 #ifndef val_h
 #define val_h
 
-// BRO values.
-
 #include <vector>
 #include <list>
 #include <array>
@@ -374,6 +372,7 @@ protected:
 	friend class RecordVal;
 	friend class VectorVal;
 	friend class ValManager;
+	friend class TableEntryVal;
 
 	virtual void ValDescribe(ODesc* d) const;
 	virtual void ValDescribeReST(ODesc* d) const;
@@ -804,9 +803,9 @@ public:
 			int(network_time - bro_start_network_time);
 		}
 
-	TableEntryVal* Clone()
+	TableEntryVal* Clone(Val::CloneState* state)
 		{
-		auto rval = new TableEntryVal(val ? val->Clone() : nullptr);
+		auto rval = new TableEntryVal(val ? val->Clone(state) : nullptr);
 		rval->last_access_time = last_access_time;
 		rval->expire_access_time = expire_access_time;
 		rval->last_read_update = last_read_update;
diff --git a/testing/btest/Baseline/language.copy/out b/testing/btest/Baseline/language.copy/out
index 675d38aa5d..fbc2c4b04d 100644
--- a/testing/btest/Baseline/language.copy/out
+++ b/testing/btest/Baseline/language.copy/out
@@ -1,2 +1,5 @@
 direct assignment (PASS)
 using copy (PASS)
+F, T
+F, T
+[a=42], [a=42], [a=42], [a=42]
diff --git a/testing/btest/language/copy.zeek b/testing/btest/language/copy.zeek
index 9ac1e577ea..638976295d 100644
--- a/testing/btest/language/copy.zeek
+++ b/testing/btest/language/copy.zeek
@@ -2,14 +2,12 @@
 # @TEST-EXEC: btest-diff out
 
 function test_case(msg: string, expect: bool)
-        {
-        print fmt("%s (%s)", msg, expect ? "PASS" : "FAIL");
-        }
-
-
+	{
+	print fmt("%s (%s)", msg, expect ? "PASS" : "FAIL");
+	}
 
 event zeek_init()
-{
+	{
 	# "b" is not a copy of "a"
 	local a: set[string] = set("this", "test");
 	local b: set[string] = a;
@@ -25,6 +23,27 @@ event zeek_init()
 	delete c["this"];
 
 	test_case( "using copy", |d| == 2 && "this" in d);
+	}
 
-}
+type myrec: record {
+	a: count;
+};
+
+event zeek_init()
+	{
+	local v: vector of myrec;
+	local t: table[count] of myrec;
+	local mr = myrec($a = 42);
+
+	t[0] = mr;
+	t[1] = mr;
+	local tc = copy(t);
+	print same_object(t, tc), same_object(tc[0], tc[1]);
+
+	v[0] = mr;
+	v[1] = mr;
+	local vc = copy(v);
+	print same_object(v, vc), same_object(vc[0], vc[1]);
+	print tc[0], tc[1], vc[0], vc[1];
+	}
 

From 8f19bbe589ea1d2f056e01c9cf61a5fd080eaa84 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 20 Jun 2019 19:50:23 -0700
Subject: [PATCH 91/91] Improve C++ header includes to improve build time

Recent changes ended up including all the Broker headers more places
than necessary, causing compile time to increase 2x.
---
 src/OpaqueVal.cc                        |  2 ++
 src/OpaqueVal.h                         |  3 +++
 src/Val.h                               |  2 --
 src/broker/Data.cc                      |  3 +++
 src/broker/Data.h                       |  4 +++-
 src/broker/Manager.h                    | 12 +++++++++++-
 src/broker/Store.h                      |  4 +++-
 src/file_analysis/analyzer/x509/X509.cc |  2 ++
 src/probabilistic/BitVector.h           |  3 ++-
 src/probabilistic/BloomFilter.cc        |  2 ++
 src/probabilistic/BloomFilter.h         |  3 ++-
 src/probabilistic/CardinalityCounter.h  |  6 +++++-
 src/probabilistic/CounterVector.cc      |  3 +++
 src/probabilistic/CounterVector.h       |  3 ++-
 src/probabilistic/Hasher.h              |  5 ++++-
 src/probabilistic/Topk.cc               |  2 ++
 16 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index 4d7c66b431..93adc5ca06 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -6,6 +6,8 @@
 #include "probabilistic/BloomFilter.h"
 #include "probabilistic/CardinalityCounter.h"
 
+#include <broker/error.hh>
+
 // Helper to retrieve a broker value out of a broker::vector at a specified
 // index, and casted to the expected destination type.
 template<typename S, typename V, typename D>
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index 17ee78e2fd..3e1b91f0ab 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -3,6 +3,9 @@
 #ifndef OPAQUEVAL_H
 #define OPAQUEVAL_H
 
+#include <broker/data.hh>
+#include <broker/expected.hh>
+
 #include "RandTest.h"
 #include "Val.h"
 #include "digest.h"
diff --git a/src/Val.h b/src/Val.h
index 4d76ccc804..5bc5df4da9 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -8,8 +8,6 @@
 #include <array>
 #include <unordered_map>
 
-#include <broker/broker.hh>
-
 #include "net_util.h"
 #include "Type.h"
 #include "Dict.h"
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 966fed6426..d2e53fe45b 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1,6 +1,9 @@
 #include "Data.h"
 #include "File.h"
 #include "broker/data.bif.h"
+
+#include <broker/error.hh>
+
 #include <caf/stream_serializer.hpp>
 #include <caf/stream_deserializer.hpp>
 #include <caf/streambuf.hpp>
diff --git a/src/broker/Data.h b/src/broker/Data.h
index eda8f6550c..b134656123 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -1,7 +1,9 @@
 #ifndef BRO_COMM_DATA_H
 #define BRO_COMM_DATA_H
 
-#include <broker/broker.hh>
+#include <broker/data.hh>
+#include <broker/expected.hh>
+
 #include "OpaqueVal.h"
 #include "Reporter.h"
 #include "Frame.h"
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 5dfd2eb235..569355b533 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -1,7 +1,17 @@
 #ifndef BRO_COMM_MANAGER_H
 #define BRO_COMM_MANAGER_H
 
-#include <broker/broker.hh>
+#include <broker/topic.hh>
+#include <broker/data.hh>
+#include <broker/store.hh>
+#include <broker/status.hh>
+#include <broker/error.hh>
+#include <broker/endpoint.hh>
+#include <broker/endpoint_info.hh>
+#include <broker/peer_info.hh>
+#include <broker/backend.hh>
+#include <broker/backend_options.hh>
+#include <broker/detail/hash.hh>
 #include <broker/zeek.hh>
 #include <memory>
 #include <string>
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 7e5b2bde07..46d19ee923 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -8,7 +8,9 @@
 #include "OpaqueVal.h"
 #include "Trigger.h"
 
-#include <broker/broker.hh>
+#include <broker/store.hh>
+#include <broker/backend.hh>
+#include <broker/backend_options.hh>
 
 namespace bro_broker {
 
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 74b903f585..33f2cb4d07 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -10,6 +10,8 @@
 
 #include "file_analysis/Manager.h"
 
+#include <broker/error.hh>
+
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/asn1.h>
diff --git a/src/probabilistic/BitVector.h b/src/probabilistic/BitVector.h
index 12d628cacf..ecec6f5714 100644
--- a/src/probabilistic/BitVector.h
+++ b/src/probabilistic/BitVector.h
@@ -6,7 +6,8 @@
 #include <iterator>
 #include <vector>
 
-#include <broker/Data.h>
+#include <broker/data.hh>
+#include <broker/expected.hh>
 
 namespace probabilistic {
 
diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc
index f449fad8b6..dd89bf9c19 100644
--- a/src/probabilistic/BloomFilter.cc
+++ b/src/probabilistic/BloomFilter.cc
@@ -4,6 +4,8 @@
 #include <cmath>
 #include <limits>
 
+#include <broker/error.hh>
+
 #include "BloomFilter.h"
 
 #include "CounterVector.h"
diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h
index 6f2362de44..bc22c91014 100644
--- a/src/probabilistic/BloomFilter.h
+++ b/src/probabilistic/BloomFilter.h
@@ -5,7 +5,8 @@
 
 #include <vector>
 
-#include <broker/Data.h>
+#include <broker/data.hh>
+#include <broker/expected.hh>
 
 #include "BitVector.h"
 #include "Hasher.h"
diff --git a/src/probabilistic/CardinalityCounter.h b/src/probabilistic/CardinalityCounter.h
index a2d69d0809..63047172ed 100644
--- a/src/probabilistic/CardinalityCounter.h
+++ b/src/probabilistic/CardinalityCounter.h
@@ -4,7 +4,11 @@
 #define PROBABILISTIC_CARDINALITYCOUNTER_H
 
 #include <stdint.h>
-#include <OpaqueVal.h>
+#include <memory>
+#include <vector>
+
+#include <broker/data.hh>
+#include <broker/expected.hh>
 
 namespace probabilistic {
 
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index a847e06ea7..b9a173356e 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -5,6 +5,9 @@
 #include <cassert>
 #include <limits>
 #include "BitVector.h"
+#include "util.h"
+
+#include <broker/error.hh>
 
 using namespace probabilistic;
 
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index 41674efd11..f8209fabca 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -6,7 +6,8 @@
 #include <cstddef>
 #include <cstdint>
 
-#include <broker/Data.h>
+#include <broker/data.hh>
+#include <broker/expected.hh>
 
 namespace probabilistic {
 
diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h
index 3218ec4d7a..3d60a264c0 100644
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@@ -3,7 +3,10 @@
 #ifndef PROBABILISTIC_HASHER_H
 #define PROBABILISTIC_HASHER_H
 
-#include <broker/Data.h>
+#include <broker/data.hh>
+#include <broker/expected.hh>
+
+#include <memory>
 
 #include "Hash.h"
 
diff --git a/src/probabilistic/Topk.cc b/src/probabilistic/Topk.cc
index 56b9030f21..8ff158e10d 100644
--- a/src/probabilistic/Topk.cc
+++ b/src/probabilistic/Topk.cc
@@ -1,5 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <broker/error.hh>
+
 #include "broker/Data.h"
 #include "probabilistic/Topk.h"
 #include "CompHash.h"