Merge remote-tracking branch 'origin/master' into topic/johanna/dtls

2025-10-16 05:28:20 +00:00 · 2015-03-18 12:25:39 -07:00 · 2015-03-18 12:25:39 -07:00 · 28e6aa9561
commit 28e6aa9561
parent 58ed2eb9ae 567073ac09
57 changed files with 882 additions and 537 deletions
--- a/52
+++ b/52
@ -1,4 +1,56 @@
 2.3-555 | 2015-03-17 15:57:13 -0700
  * Splitting test-all Makefile target into Bro tests and test-aux.
    (Robin Sommer)
 2.3-554 | 2015-03-17 15:40:39 -0700
  * Deprecate &rotate_interval, &rotate_size, &encrypt. Addresses
    BIT-1305. (Jon Siwek)
 2.3-549 | 2015-03-17 09:12:18 -0700
  * BIT-1077: Fix HTTP::log_server_header_names. Before, it just
    re-logged fields from the client side. (Jon Siwek)
 2.3-547 | 2015-03-17 09:07:51 -0700
  * Update certificate validation script to cache valid intermediate
    chains that it encounters on the wire and use those to try to
    validate chains that might be missing intermediate certificates.
    (Johanna Amann)
 2.3-541 | 2015-03-13 15:44:08 -0500
  * Make INSTALL a symlink to doc/install/install.rst (Jon siwek)
  * Fix Broxygen coverage. (Jon Siwek)
 2.3-539 | 2015-03-13 14:19:27 -0500
  * BIT-1335: Include timestamp in default extracted file names.
    And add a policy script to extract all files. (Jon Siwek)
  * BIT-1311: Identify GRE tunnels as Tunnel::GRE, not Tunnel::IP.
    (Jon Siwek)
  * BIT-1309: Add Connection class getter methods for flow labels.
    (Jon Siwek)
 2.3-536 | 2015-03-12 16:16:24 -0500
  * Fix Broker leak tests. (Jon Siwek)
 2.3-534 | 2015-03-12 10:59:49 -0500
  * Update NEWS file. (Jon Siwek)
 2.3-533 | 2015-03-12 10:18:53 -0500
  * Give broker python bindings default install path within --prefix.
    (Jon Siwek)
 2.3-530 | 2015-03-10 13:22:39 -0500
  * Fix broker data stores in absence of --enable-debug. (Jon Siwek)
--- a/3
+++ b/3
@ -1,3 +0,0 @@
 See doc/install/install.rst for installation instructions.
--- a/1
+++ b/1
@ -0,0 +1 @@
 doc/install/install.rst
--- a/14
+++ b/14
@ -51,13 +51,15 @@ distclean:
 	$(MAKE) -C testing $@
 test:
-	@( cd testing && make )
+	-@( cd testing && make )
-test-all: test
+test-aux:
-	test -d aux/broctl && ( cd aux/broctl && make test-all )
+	-test -d aux/broctl && ( cd aux/broctl && make test-all )
-	test -d aux/btest  && ( cd aux/btest && make test )
+	-test -d aux/btest  && ( cd aux/btest && make test )
-	test -d aux/bro-aux && ( cd aux/bro-aux && make test )
+	-test -d aux/bro-aux && ( cd aux/bro-aux && make test )
-	test -d aux/plugins && ( cd aux/plugins && make test-all )
+	-test -d aux/plugins && ( cd aux/plugins && make test-all )
 test-all: test test-aux
 configured:
 	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
--- a/17
+++ b/17
@ -46,11 +46,9 @@ New Functionality
  TODO: Extend with some more information on  Broker.
  Broker support is by default off for now; it can be enabled at
-  configure time with --enable-broker. It requires CAF
+  configure time with --enable-broker. It requires CAF version 0.13+
  (https://github.com/actor-framework/actor-framework) as well as a
-  C++11 compiler.
+  C++11 compiler (e.g. GCC 4.8+ or Clang 3.3+).
  TODO: Add minumim version for CAF.
  Broker will become a mandatory dependency in future Bro versions.
@ -75,6 +73,11 @@ Changed Functionality
      have been added which contain the same information.  The
      ``mime_type`` field of ``Files::Info`` also still has this info.
    * The earliest point that new mime type information is available is
      in the ``file_mime_type`` event which comes after the ``file_new``
      and ``file_over_new_connection`` events.  Scripts which inspected
      mime type info within those events will need to be adapted.
    * Removed ``Files::add_analyzers_for_mime_type`` function.
    * Removed ``offset`` parameter of the ``file_extraction_limit``
@ -91,6 +94,12 @@ Changed Functionality
 - conn.log gained a new field local_resp that works like local_orig,
  just for the responder address of the connection.
 - GRE tunnels are now identified as ``Tunnel::GRE`` instead of
  ``Tunnel::IP``.
 - The default name for extracted files changed from extract-protocol-id
  to extract-timestamp-protocol-id.
 - [TODO] Add changed BroControl features.
 Deprecated Functionality
--- a/2
+++ b/2
@ -1 +1 @@
-2.3-530
+2.3-555
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 762d2722290ca0004d0da2b0b96baea6a3a7f3f4
+Subproject commit 71c86d87ffd1750278a185ecff0ba5f5ae8fcf6e
--- a/aux/broker
+++ b/aux/broker
@ -1 +1 @@
-Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3
+Subproject commit 1a2ab9ee7c80ca905e86a2a11283e7c0477341a9
--- a/aux/plugins
+++ b/aux/plugins
@ -1 +1 @@
-Subproject commit 71d820e9d8ca753fea8fb34ea3987993b28d79e4
+Subproject commit 172e0559ec508c86abb81b371ee28e79130faec6
--- a/6
+++ b/6
@ -149,6 +149,10 @@ while [ $# -ne 0 ]; do
            append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
            append_cache_entry BRO_ROOT_DIR         PATH   $optarg
            append_cache_entry PY_MOD_INSTALL_DIR   PATH   $optarg/lib/broctl
            if [ -n "$user_enabled_broker" ]; then
                append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
            fi
            ;;
        --scriptdir=*)
            append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $optarg
@ -189,6 +193,8 @@ while [ $# -ne 0 ]; do
        --enable-broker)
            append_cache_entry ENABLE_CXX11         BOOL   true
            append_cache_entry ENABLE_BROKER        BOOL   true
            append_cache_entry BROKER_PYTHON_HOME   PATH   $prefix
            user_enabled_broker="true"
            ;;
        --disable-broccoli)
            append_cache_entry INSTALL_BROCCOLI     BOOL   false
--- a/doc/script-reference/attributes.rst
+++ b/doc/script-reference/attributes.rst
@ -43,8 +43,6 @@ The Bro scripting language supports the following attributes.
 +-----------------------------+-----------------------------------------------+
 | :bro:attr:`&mergeable`      |Prefer set union for synchronized state.       |
 +-----------------------------+-----------------------------------------------+
 | :bro:attr:`&group`          |Group event handlers to activate/deactivate.   |
 +-----------------------------+-----------------------------------------------+
 | :bro:attr:`&error_handler`  |Used internally for reporter framework events. |
 +-----------------------------+-----------------------------------------------+
 | :bro:attr:`&type_column`    |Used by input framework for "port" type.       |
@ -198,11 +196,6 @@ Here is a more detailed explanation of each attribute:
    inconsistencies and can be avoided by unifying the two sets, rather
    than merely overwriting the old value.
 .. bro:attr:: &group
    Groups event handlers such that those in the same group can be
    jointly activated or deactivated.
 .. bro:attr:: &error_handler
    Internally set on the events that are associated with the reporter
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@ -53,7 +53,8 @@ function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool
 function on_add(f: fa_file, args: Files::AnalyzerArgs)
 	{
 	if ( ! args?$extract_filename )
-		args$extract_filename = cat("extract-", f$source, "-", f$id);
+		args$extract_filename = cat("extract-", f$last_active, "-", f$source,
 		                            "-", f$id);
 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
--- a/scripts/broxygen/load.bro
+++ b/scripts/broxygen/load.bro
@ -5,6 +5,7 @@
@load frameworks/communication/listen.bro
@load frameworks/control/controllee.bro
@load frameworks/control/controller.bro
@load frameworks/files/extract-all-files.bro
@load policy/misc/dump-events.bro
@load ./example.bro
--- a/scripts/policy/frameworks/files/extract-all-files.bro
+++ b/scripts/policy/frameworks/files/extract-all-files.bro
@ -0,0 +1,8 @@
 ##! Extract all files to disk.
@load base/files/extract
 event file_new(f: fa_file)
 	{
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
 	}
--- a/scripts/policy/protocols/http/header-names.bro
+++ b/scripts/policy/protocols/http/header-names.bro
@ -26,16 +26,20 @@ export {
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
 	{
-	if ( ! is_orig || ! c?$http )
+	if ( ! c?$http )
 		return;
 	if ( is_orig )
 		{
 		if ( log_client_header_names )
 			{
 			if ( ! c$http?$client_header_names )
 				c$http$client_header_names = vector();
 			c$http$client_header_names[|c$http$client_header_names|] = name;
 			}
-		
+		}
 	else
 		{
 		if ( log_server_header_names )
 			{
 			if ( ! c$http?$server_header_names )
@ -43,3 +47,4 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			c$http$server_header_names[|c$http$server_header_names|] = name;
 			}
 		}
 	}
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@ -1,4 +1,7 @@
 ##! Perform full certificate chain validation for SSL certificates.
 #
 # Also caches all intermediate certificates encountered so far and use them
 # for future validations.
@load base/frameworks/notice
@load base/protocols/ssl
@ -19,10 +22,105 @@ export {
 	};
 	## MD5 hash values for recently validated chains along with the
-	## validation status message are kept in this table to avoid constant
+	## validation status are kept in this table to avoid constant
 	## validation every time the same certificate chain is seen.
 	global recently_validated_certs: table[string] of string = table()
-		&read_expire=5mins &synchronized &redef;
+		&read_expire=5mins &redef;
 	## Use intermediate CA certificate caching when trying to validate
 	## certificates. When this is enabled, Bro keeps track of all valid
 	## intermediate CA certificates that it has seen in the past. When
 	## encountering a host certificate that cannot be validated because
 	## of missing intermediate CA certificate, the cached list is used
 	## to try to validate the cert. This is similar to how Firefox is
 	## doing certificate validation.
 	##
 	## Disabling this will usually greatly increase the number of validation warnings
 	## that you encounter. Only disable if you want to find misconfigured servers.
 	global ssl_cache_intermediate_ca: bool = T &redef;
 	## Event from a worker to the manager that it has encountered a new
 	## valid intermediate.
 	global intermediate_add: event(key: string, value: vector of opaque of x509);
 	## Event from the manager to the workers that a new intermediate chain
 	## is to be added.
 	global new_intermediate: event(key: string, value: vector of opaque of x509);
 }
 global intermediate_cache: table[string] of vector of opaque of x509;
@if ( Cluster::is_enabled() )
@load base/frameworks/cluster
 redef Cluster::manager2worker_events += /SSL::intermediate_add/;
 redef Cluster::worker2manager_events += /SSL::new_intermediate/;
@endif
 function add_to_cache(key: string, value: vector of opaque of x509)
 	{
 	intermediate_cache[key] = value;
@if ( Cluster::is_enabled() )
 	event SSL::new_intermediate(key, value);
@endif
 	}
@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 event SSL::intermediate_add(key: string, value: vector of opaque of x509)
 	{
 	intermediate_cache[key] = value;
 	}
@endif
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
 event SSL::new_intermediate(key: string, value: vector of opaque of x509)
 	{
 	if ( key in intermediate_cache )
 		return;
 	intermediate_cache[key] = value;
 	event SSL::intermediate_add(key, value);
 	}
@endif
 function cache_validate(chain: vector of opaque of x509): string
 	{
 	local chain_hash: vector of string = vector();
 	for ( i in chain )
 		chain_hash[i] = sha1_hash(x509_get_certificate_string(chain[i]));
 	local chain_id = join_string_vec(chain_hash, ".");
 	# If we tried this certificate recently, just return the cached result.
 	if ( chain_id in recently_validated_certs )
 		return recently_validated_certs[chain_id];
 	local result = x509_verify(chain, root_certs);
 	recently_validated_certs[chain_id] = result$result_string;
 	# if we have a working chain where we did not store the intermediate certs
 	# in our cache yet - do so
 	if ( ssl_cache_intermediate_ca &&
 	     result$result_string == "ok" &&
 		   result?$chain_certs &&
 		   |result$chain_certs| > 2 )
 		{
 		local result_chain = result$chain_certs;
 		local icert = x509_parse(result_chain[1]);
 		if ( icert$subject !in intermediate_cache )
 			{
 			local cachechain: vector of opaque of x509;
 			for ( i in result_chain )
 				{
 				if ( i >=1 && i<=|result_chain|-2 )
 					cachechain[i-1] = result_chain[i];
 				}
 			add_to_cache(icert$subject, cachechain);
 			}
 		}
 	return result$result_string;
 	}
 event ssl_established(c: connection) &priority=3
@ -32,9 +130,31 @@ event ssl_established(c: connection) &priority=3
 	     ! c$ssl$cert_chain[0]?$x509 )
 		return;
-	local chain_id = join_string_vec(c$ssl$cert_chain_fuids, ".");
+	local intermediate_chain: vector of opaque of x509 = vector();
 	local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
 	local hash = c$ssl$cert_chain[0]$sha1;
 	local result: string;
 	# Look if we already have a working chain for the issuer of this cert.
 	# If yes, try this chain first instead of using the chain supplied from
 	# the server.
 	if ( ssl_cache_intermediate_ca && issuer in intermediate_cache )
 		{
 		intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle;
 		for ( i in intermediate_cache[issuer] )
 			intermediate_chain[i+1] = intermediate_cache[issuer][i];
 		result = cache_validate(intermediate_chain);
 		if ( result == "ok" )
 			{
 			c$ssl$validation_status = result;
 			return;
 			}
 		}
 	# Validation with known chains failed or there was no fitting intermediate
 	# in our store.
 	# Fall back to validating the certificate with the server-supplied chain.
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
 		{
@ -42,18 +162,10 @@ event ssl_established(c: connection) &priority=3
 			chain[i] = c$ssl$cert_chain[i]$x509$handle;
 		}
-	if ( chain_id in recently_validated_certs )
+	result = cache_validate(chain);
-		{
+	c$ssl$validation_status = result;
 		c$ssl$validation_status = recently_validated_certs[chain_id];
 		}
 	else
 		{
 		local result = x509_verify(chain, root_certs);
 		c$ssl$validation_status = result$result_string;
 		recently_validated_certs[chain_id] = result$result_string;
 		}
-	if ( c$ssl$validation_status != "ok" )
+	if ( result != "ok" )
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
@ -61,5 +173,3 @@ event ssl_established(c: connection) &priority=3
 		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
 		}
 	}
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -28,6 +28,7 @@
@load frameworks/intel/seen/where-locations.bro
@load frameworks/intel/seen/x509.bro
@load frameworks/files/detect-MHR.bro
 #@load frameworks/files/extract-all-files.bro
@load frameworks/files/hash-all-files.bro
@load frameworks/packet-filter/shunt.bro
@load frameworks/software/version-changes.bro
--- a/src/Conn.h
+++ b/src/Conn.h
@ -263,6 +263,9 @@ public:
 	void CheckFlowLabel(bool is_orig, uint32 flow_label);
 	uint32 GetOrigFlowLabel() { return orig_flow_label; }
 	uint32 GetRespFlowLabel() { return resp_flow_label; }
 protected:
 	Connection()	{ persistent = 0; }
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -466,6 +466,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 	id.src_addr = ip_hdr->SrcAddr();
 	id.dst_addr = ip_hdr->DstAddr();
 	Dictionary* d = 0;
 	BifEnum::Tunnel::Type tunnel_type = BifEnum::Tunnel::IP;
 	switch ( proto ) {
 	case IPPROTO_TCP:
@ -606,6 +607,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
 		// that GRE header is stripped and only payload packet remains.
 		// The only thing different is the tunnel type enum value to use.
 		tunnel_type = BifEnum::Tunnel::GRE;
 		}
 	case IPPROTO_IPV4:
@ -653,7 +656,8 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		if ( it == ip_tunnels.end() )
 			{
-			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr());
+			EncapsulatingConn ec(ip_hdr->SrcAddr(), ip_hdr->DstAddr(),
 			                     tunnel_type);
 			ip_tunnels[tunnel_idx] = TunnelActivity(ec, network_time);
 			timer_mgr->Add(new IPTunnelTimer(network_time, tunnel_idx));
 			}
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@ -37,10 +37,12 @@ public:
 	 *
 	 * @param s The tunnel source address, likely taken from an IP header.
 	 * @param d The tunnel destination address, likely taken from an IP header.
 	 * @param t The type of IP tunnel.
 	 */
-	EncapsulatingConn(const IPAddr& s, const IPAddr& d)
+	EncapsulatingConn(const IPAddr& s, const IPAddr& d,
 	                  BifEnum::Tunnel::Type t = BifEnum::Tunnel::IP)
 		: src_addr(s), dst_addr(d), src_port(0), dst_port(0),
-		  proto(TRANSPORT_UNKNOWN), type(BifEnum::Tunnel::IP),
+		  proto(TRANSPORT_UNKNOWN), type(t),
 		  uid(Bro::UID(bits_per_uid))
 		{
 		}
@ -85,7 +87,8 @@ public:
 		if ( ec1.type != ec2.type )
 			return false;
-		if ( ec1.type == BifEnum::Tunnel::IP )
+		if ( ec1.type == BifEnum::Tunnel::IP ||
 		     ec1.type == BifEnum::Tunnel::GRE )
 			// Reversing endpoints is still same tunnel.
 			return ec1.uid == ec2.uid && ec1.proto == ec2.proto &&
 			  ((ec1.src_addr == ec2.src_addr && ec1.dst_addr == ec2.dst_addr) ||
--- a/src/scan.l
+++ b/src/scan.l
@ -56,6 +56,11 @@ char last_tok[128];
 	if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \
 		reporter->Error("read failed with \"%s\"", strerror(errno));
 static void deprecated_attr(const char* attr)
 	{
 	reporter->Warning("Use of deprecated attribute: %s", attr);
 	}
 static string find_relative_file(const string& filename, const string& ext)
 	{
 	if ( filename.empty() )
@ -263,22 +268,50 @@ when	return TOK_WHEN;
 &delete_func	return TOK_ATTR_DEL_FUNC;
 &deprecated	return TOK_ATTR_DEPRECATED;
 &raw_output return TOK_ATTR_RAW_OUTPUT;
 &encrypt	return TOK_ATTR_ENCRYPT;
 &error_handler	return TOK_ATTR_ERROR_HANDLER;
 &expire_func	return TOK_ATTR_EXPIRE_FUNC;
 &log		return TOK_ATTR_LOG;
 &mergeable	return TOK_ATTR_MERGEABLE;
 &optional	return TOK_ATTR_OPTIONAL;
 &persistent	return TOK_ATTR_PERSISTENT;
 &priority	return TOK_ATTR_PRIORITY;
 &type_column	return TOK_ATTR_TYPE_COLUMN;
 &read_expire	return TOK_ATTR_EXPIRE_READ;
 &redef		return TOK_ATTR_REDEF;
 &rotate_interval	return TOK_ATTR_ROTATE_INTERVAL;
 &rotate_size		return TOK_ATTR_ROTATE_SIZE;
 &synchronized	return TOK_ATTR_SYNCHRONIZED;
 &write_expire	return TOK_ATTR_EXPIRE_WRITE;
 &encrypt {
 	deprecated_attr(yytext);
 	return TOK_ATTR_ENCRYPT;
 	}
 &mergeable {
 	// Not yet deprecated, but soon.
 	//deprecated_attr(yytext);
 	return TOK_ATTR_MERGEABLE;
 	}
 &persistent {
 	// Not yet deprecated, but soon.
 	//deprecated_attr(yytext);
 	return TOK_ATTR_PERSISTENT;
 	}
 &rotate_interval {
 	deprecated_attr(yytext);
 	return TOK_ATTR_ROTATE_INTERVAL;
 	}
 &rotate_size {
 	deprecated_attr(yytext);
 	return TOK_ATTR_ROTATE_SIZE;
 	}
 &synchronized  {
 	// Not yet deprecated, but soon.
 	//deprecated_attr(yytext);
 	return TOK_ATTR_SYNCHRONIZED;
 	}
@DEBUG	return TOK_DEBUG;	// marks input for debugger
@DIR	{
--- a/src/types.bif
+++ b/src/types.bif
@ -172,6 +172,7 @@ enum Type %{
 	SOCKS,
 	GTPv1,
 	HTTP,
 	GRE,
 %}
 type EncapsulatingConn: record;
--- a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
@ -0,0 +1,5 @@
 clone keys, [status=BrokerStore::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
 lookup, one, [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
 lookup, two, [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
 lookup, myset, [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
 lookup, myvec, [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
--- a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@ -1,18 +1,18 @@
-Comm::BOOL
+BrokerComm::BOOL
-Comm::INT
+BrokerComm::INT
-Comm::COUNT
+BrokerComm::COUNT
-Comm::DOUBLE
+BrokerComm::DOUBLE
-Comm::STRING
+BrokerComm::STRING
-Comm::ADDR
+BrokerComm::ADDR
-Comm::SUBNET
+BrokerComm::SUBNET
-Comm::PORT
+BrokerComm::PORT
-Comm::TIME
+BrokerComm::TIME
-Comm::INTERVAL
+BrokerComm::INTERVAL
-Comm::ENUM
+BrokerComm::ENUM
-Comm::SET
+BrokerComm::SET
-Comm::TABLE
+BrokerComm::TABLE
-Comm::VECTOR
+BrokerComm::VECTOR
-Comm::RECORD
+BrokerComm::RECORD
 ***************************
 T
 F
@ -29,7 +29,7 @@ hello
 22/tcp
 42.0
 180.0
-Comm::BOOL
+BrokerComm::BOOL
 ***************************
 {
 two,
--- a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
@ -0,0 +1,14 @@
 lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]]
 lookup(four): [status=BrokerStore::SUCCESS, result=[d=<uninitialized>]]
 lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]]
 lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]]
 lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
 exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
 exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
 exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]]
 exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
 pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]]
 pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]]
 keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
 size: [status=BrokerStore::SUCCESS, result=[d=broker::data{3}]]
 size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]]
--- a/testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/recv.recv.out
--- a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
@ -0,0 +1 @@
 BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
@ -1,4 +1,4 @@
-Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
+BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 got print msg, pong 0
 got print msg, pong 1
 got print msg, pong 2
--- a/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/core.leaks.comm.clone_store/clone.clone.out
@ -1,5 +0,0 @@
 clone keys, [status=Store::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
 lookup, one, [status=Store::SUCCESS, result=[d=broker::data{111}]]
 lookup, two, [status=Store::SUCCESS, result=[d=broker::data{222}]]
 lookup, myset, [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
 lookup, myvec, [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
--- a/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.comm.master_store/bro..stdout
@ -1,14 +0,0 @@
 lookup(two): [status=Store::SUCCESS, result=[d=broker::data{222}]]
 lookup(four): [status=Store::SUCCESS, result=[d=<uninitialized>]]
 lookup(myset): [status=Store::SUCCESS, result=[d=broker::data{{a, c, d}}]]
 lookup(one): [status=Store::SUCCESS, result=[d=broker::data{111}]]
 lookup(myvec): [status=Store::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
 exists(one): [status=Store::SUCCESS, result=[d=broker::data{1}]]
 exists(two): [status=Store::SUCCESS, result=[d=broker::data{0}]]
 exists(myset): [status=Store::SUCCESS, result=[d=broker::data{1}]]
 exists(four): [status=Store::SUCCESS, result=[d=broker::data{0}]]
 pop_right(myvec): [status=Store::SUCCESS, result=[d=broker::data{omega}]]
 pop_left(myvec): [status=Store::SUCCESS, result=[d=broker::data{delta}]]
 keys: [status=Store::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
 size: [status=Store::SUCCESS, result=[d=broker::data{3}]]
 size (after clear): [status=Store::SUCCESS, result=[d=broker::data{0}]]
--- a/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
+++ b/testing/btest/Baseline/core.leaks.comm.remote_log/send.send.out
@ -1 +0,0 @@
 Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/tunnel.log
@ -6,6 +6,6 @@
 #open	2014-01-16-21-51-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1341436424.204043	CXWv6p3arKYeMETxOg	72.205.54.70	0	86.106.164.150	0	Tunnel::IP	Tunnel::DISCOVER
+1341436424.204043	CXWv6p3arKYeMETxOg	72.205.54.70	0	86.106.164.150	0	Tunnel::GRE	Tunnel::DISCOVER
-1341436424.204043	CjhGID4nQcgTWjvg4c	10.10.11.2	0	10.10.13.2	0	Tunnel::IP	Tunnel::DISCOVER
+1341436424.204043	CjhGID4nQcgTWjvg4c	10.10.11.2	0	10.10.13.2	0	Tunnel::GRE	Tunnel::DISCOVER
 #close	2014-01-16-21-51-36
--- a/testing/btest/Baseline/core.tunnels.gre/tunnel.log
+++ b/testing/btest/Baseline/core.tunnels.gre/tunnel.log
@ -6,5 +6,5 @@
 #open	2014-01-16-21-51-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
-1055289968.793044	CXWv6p3arKYeMETxOg	172.27.1.66	0	66.59.109.137	0	Tunnel::IP	Tunnel::DISCOVER
+1055289968.793044	CXWv6p3arKYeMETxOg	172.27.1.66	0	66.59.109.137	0	Tunnel::GRE	Tunnel::DISCOVER
 #close	2014-01-16-21-51-12
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -124,7 +124,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <no result>
@ -192,7 +192,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -286,8 +286,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@ -669,7 +669,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
-0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
@ -737,7 +737,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -831,8 +831,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, <null>, (PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@ -1213,7 +1213,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ <init> HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
@ -1281,7 +1281,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1375,8 +1375,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1425596289.27327, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1426273629.648148, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
--- a/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.http.header-names/http.log
@ -0,0 +1,23 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	http
 #open	2015-03-16-20-10-52
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types	client_header_names	server_header_names
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,VIA,X-VARNISH,LAST-MODIFIED,ETAG,VARY,CONNECTION
 1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.918358	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.952307	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.952296	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.954820	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.962687	Cn78a440HlxuyZKs6f	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,EXPIRES,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.975934	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.976436	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475168.979264	C3SfNE4BWaU4aSuwkc	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-	HOST,USER-AGENT,ACCEPT,ACCEPT-LANGUAGE,ACCEPT-ENCODING,ACCEPT-CHARSET,KEEP-ALIVE,CONNECTION,REFERER,IF-MODIFIED-SINCE,IF-NONE-MATCH,CACHE-CONTROL	DATE,CONTENT-TYPE,LAST-MODIFIED,ETAG,AGE,X-CACHE,X-CACHE-LOOKUP,X-CACHE,X-CACHE-LOOKUP,CONNECTION
 #close	2015-03-16-20-10-52
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-cluster/ssl.log
@ -0,0 +1,15 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-03-09-19-32-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
 1425929564.247511	CXWv6p3arKYeMETxOg	192.168.4.149	58529	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FTzCuuqU5y7w85H89	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	unable to get local issuer certificate
 1425929565.270104	CXWv6p3arKYeMETxOg	192.168.4.149	58529	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FXzQOu1ZSKSF7H8Ez6	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	unable to get local issuer certificate
 1425929566.843026	CjhGID4nQcgTWjvg4c	192.168.4.149	58530	72.167.102.91	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5l2dVkZHiwiOWR67,Fkw2ETDXfIXIvatba,Fbgf8A3V6m8v33wTcj	(empty)	CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 1425929571.372511	CCvvfg3TEfuqmmG4bh	192.168.4.149	58532	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FhEtvg4pQ90832J56f	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 1425929567.865619	CjhGID4nQcgTWjvg4c	192.168.4.149	58530	72.167.102.91	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fyc6cQ2rMCAhpIGcM5,FoJ8j735m9ogDYopYj,FHaYhA3ykzVlKPnnsc	(empty)	CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 1425929572.395104	CCvvfg3TEfuqmmG4bh	192.168.4.149	58532	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FwZZ8034tgyXSponwg	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 #close	2015-03-09-19-32-53
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs-no-cache/ssl.log
@ -0,0 +1,12 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-03-09-19-51-25
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
 1417039703.224578	CXWv6p3arKYeMETxOg	192.168.4.149	58529	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FghNi02cFL9n6ttuMa	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	unable to get local issuer certificate
 1417039705.820093	CjhGID4nQcgTWjvg4c	192.168.4.149	58530	72.167.102.91	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fz7gr4fSm2T2sEyDl,FhjNBG25vvoBO6CS79,FQFHJA20WL56NP6LXk	(empty)	CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 1417039710.349578	CCvvfg3TEfuqmmG4bh	192.168.4.149	58532	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FRcFYq3e3hgYkZ8dS1	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	unable to get local issuer certificate
 #close	2015-03-09-19-51-25
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl-all.log
@ -0,0 +1,23 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-03-09-19-44-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
 1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
 1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
 #close	2015-03-09-19-44-42
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-03-09-19-44-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
 1417039703.224578	CXWv6p3arKYeMETxOg	192.168.4.149	58529	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FghNi02cFL9n6ttuMa	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	unable to get local issuer certificate
 1417039705.820093	CjhGID4nQcgTWjvg4c	192.168.4.149	58530	72.167.102.91	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fz7gr4fSm2T2sEyDl,FhjNBG25vvoBO6CS79,FQFHJA20WL56NP6LXk	(empty)	CN=valid.sfig2.catest.starfieldtech.com,O=Starfield Technologies\, LLC,L=Scottsdale,ST=Arizona,C=US,serialNumber=R-1724741-6,businessCategory=Private Organization,jurisdictionST=Arizona,jurisdictionC=US	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 1417039710.349578	CCvvfg3TEfuqmmG4bh	192.168.4.149	58532	128.32.169.140	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FRcFYq3e3hgYkZ8dS1	(empty)	CN=www.cviis.org,OU=Domain Control Validated	CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US	-	-	ok
 #close	2015-03-09-19-44-42
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
@ -1,11 +0,0 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2014-08-08-17-13-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
 1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
 1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
 #close	2014-08-08-17-13-58
--- a/testing/btest/Traces/tls/missing-intermediate.pcap
+++ b/testing/btest/Traces/tls/missing-intermediate.pcap
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@ -0,0 +1,113 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
 # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
@TEST-START-FILE clone.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 global h: opaque of BrokerStore::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 function do_lookup(key: string)
 	{
 	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
 		if ( key_count == expected_key_count )
 			terminate();
 		}
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event ready()
 	{
 	h = BrokerStore::create_clone("mystore");
 	when ( local res = BrokerStore::keys(h) )
 		{
 		print "clone keys", res;
 		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 0)));
 		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 1)));
 		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 2)));
 		do_lookup(BrokerComm::refine_to_string(BrokerComm::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event bro_init()
 	{
 	BrokerComm::enable();
 	BrokerComm::listen(broker_port, "127.0.0.1");
 	BrokerComm::subscribe_to_events("bro/event/ready");
 	}
@TEST-END-FILE
@TEST-START-FILE master.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 global h: opaque of BrokerStore::Handle;
 function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
 	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 global ready: event();
 event BrokerComm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
 	}
 event BrokerComm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
 	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
 	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
 	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
 	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
 	BrokerStore::increment(h, BrokerComm::data("one"));
 	BrokerStore::decrement(h, BrokerComm::data("two"));
 	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
 	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
 	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
 	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 	when ( local res = BrokerStore::size(h) )
 		{ event ready(); }
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event bro_init()
 	{
 	BrokerComm::enable();
 	h = BrokerStore::create_master("mystore");
 	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	BrokerComm::auto_event("bro/event/ready", ready);
 	}
@TEST-END-FILE
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@ -0,0 +1,233 @@
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff bro/.stdout
 type bro_set: set[string];
 type bro_table: table[string] of count;
 type bro_vector: vector of string;
 type bro_record : record {
 	a: string &optional;
 	b: string &default = "bee";
 	c: count;
 };
 function comm_record_to_bro_record_recurse(it: opaque of BrokerComm::RecordIterator,
                                           rval: bro_record,
                                           idx: count): bro_record
 	{
 	if ( BrokerComm::record_iterator_last(it) )
 		return rval;
 	local field_value = BrokerComm::record_iterator_value(it);
 	if ( field_value?$d )
 		switch ( idx ) {
 		case 0:
 			rval$a = BrokerComm::refine_to_string(field_value);
 			break;
 		case 1:
 			rval$b = BrokerComm::refine_to_string(field_value);
 			break;
 		case 2:
 			rval$c = BrokerComm::refine_to_count(field_value);
 			break;
 		};
 	++idx;
 	BrokerComm::record_iterator_next(it);
 	return comm_record_to_bro_record_recurse(it, rval, idx);
 	}
 function comm_record_to_bro_record(d: BrokerComm::Data): bro_record
 	{
 	return comm_record_to_bro_record_recurse(BrokerComm::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 function
 comm_set_to_bro_set_recurse(it: opaque of BrokerComm::SetIterator,
                            rval: bro_set): bro_set
 	{
 	if ( BrokerComm::set_iterator_last(it) )
 		return rval;
 	add rval[BrokerComm::refine_to_string(BrokerComm::set_iterator_value(it))];
 	BrokerComm::set_iterator_next(it);
 	return comm_set_to_bro_set_recurse(it, rval);
 	}
 function comm_set_to_bro_set(d: BrokerComm::Data): bro_set
 	{
 	return comm_set_to_bro_set_recurse(BrokerComm::set_iterator(d), bro_set());
 	}
 function
 comm_table_to_bro_table_recurse(it: opaque of BrokerComm::TableIterator,
                                rval: bro_table): bro_table
 	{
 	if ( BrokerComm::table_iterator_last(it) )
 		return rval;
 	local item = BrokerComm::table_iterator_value(it);
 	rval[BrokerComm::refine_to_string(item$key)] = BrokerComm::refine_to_count(item$val);
 	BrokerComm::table_iterator_next(it);
 	return comm_table_to_bro_table_recurse(it, rval);
 	}
 function comm_table_to_bro_table(d: BrokerComm::Data): bro_table
 	{
 	return comm_table_to_bro_table_recurse(BrokerComm::table_iterator(d),
 	                                       bro_table());
 	}
 function comm_vector_to_bro_vector_recurse(it: opaque of BrokerComm::VectorIterator,
                                           rval: bro_vector): bro_vector
 	{
 	if ( BrokerComm::vector_iterator_last(it) )
 		return rval;
 	rval[|rval|] = BrokerComm::refine_to_string(BrokerComm::vector_iterator_value(it));
 	BrokerComm::vector_iterator_next(it);
 	return comm_vector_to_bro_vector_recurse(it, rval);
 	}
 function comm_vector_to_bro_vector(d: BrokerComm::Data): bro_vector
 	{
 	return comm_vector_to_bro_vector_recurse(BrokerComm::vector_iterator(d),
 	                                         bro_vector());
 	}
 event bro_init()
 	{
 BrokerComm::enable();
 	}
 global did_it = F;
 event new_connection(c: connection)
 	{
 if ( did_it ) return;
 did_it = T;
 print BrokerComm::data_type(BrokerComm::data(T));
 print BrokerComm::data_type(BrokerComm::data(+1));
 print BrokerComm::data_type(BrokerComm::data(1));
 print BrokerComm::data_type(BrokerComm::data(1.1));
 print BrokerComm::data_type(BrokerComm::data("1 (how creative)"));
 print BrokerComm::data_type(BrokerComm::data(1.1.1.1));
 print BrokerComm::data_type(BrokerComm::data(1.1.1.1/1));
 print BrokerComm::data_type(BrokerComm::data(1/udp));
 print BrokerComm::data_type(BrokerComm::data(double_to_time(1)));
 print BrokerComm::data_type(BrokerComm::data(1sec));
 print BrokerComm::data_type(BrokerComm::data(BrokerComm::BOOL));
 local s: bro_set = bro_set("one", "two", "three");
 local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
 local v: bro_vector = bro_vector("zero", "one", "two");
 local r: bro_record = bro_record($c = 1);
 print BrokerComm::data_type(BrokerComm::data(s));
 print BrokerComm::data_type(BrokerComm::data(t));
 print BrokerComm::data_type(BrokerComm::data(v));
 print BrokerComm::data_type(BrokerComm::data(r));
 print "***************************";
 print BrokerComm::refine_to_bool(BrokerComm::data(T));
 print BrokerComm::refine_to_bool(BrokerComm::data(F));
 print BrokerComm::refine_to_int(BrokerComm::data(+1));
 print BrokerComm::refine_to_int(BrokerComm::data(+0));
 print BrokerComm::refine_to_int(BrokerComm::data(-1));
 print BrokerComm::refine_to_count(BrokerComm::data(1));
 print BrokerComm::refine_to_count(BrokerComm::data(0));
 print BrokerComm::refine_to_double(BrokerComm::data(1.1));
 print BrokerComm::refine_to_double(BrokerComm::data(-11.1));
 print BrokerComm::refine_to_string(BrokerComm::data("hello"));
 print BrokerComm::refine_to_addr(BrokerComm::data(1.2.3.4));
 print BrokerComm::refine_to_subnet(BrokerComm::data(192.168.1.1/16));
 print BrokerComm::refine_to_port(BrokerComm::data(22/tcp));
 print BrokerComm::refine_to_time(BrokerComm::data(double_to_time(42)));
 print BrokerComm::refine_to_interval(BrokerComm::data(3min));
 print BrokerComm::refine_to_enum_name(BrokerComm::data(BrokerComm::BOOL));
 print "***************************";
 local cs = BrokerComm::data(s);
 print comm_set_to_bro_set(cs);
 cs = BrokerComm::set_create();
 print BrokerComm::set_size(cs);
 print BrokerComm::set_insert(cs, BrokerComm::data("hi"));
 print BrokerComm::set_size(cs);
 print BrokerComm::set_contains(cs, BrokerComm::data("hi"));
 print BrokerComm::set_contains(cs, BrokerComm::data("bye"));
 print BrokerComm::set_insert(cs, BrokerComm::data("bye"));
 print BrokerComm::set_size(cs);
 print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
 print BrokerComm::set_size(cs);
 print BrokerComm::set_remove(cs, BrokerComm::data("hi"));
 print comm_set_to_bro_set(cs);
 BrokerComm::set_clear(cs);
 print BrokerComm::set_size(cs);
 print "***************************";
 local ct = BrokerComm::data(t);
 print comm_table_to_bro_table(ct);
 ct = BrokerComm::table_create();
 print BrokerComm::table_size(ct);
 print BrokerComm::table_insert(ct, BrokerComm::data("hi"), BrokerComm::data(42));
 print BrokerComm::table_size(ct);
 print BrokerComm::table_contains(ct, BrokerComm::data("hi"));
 print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("hi")));
 print BrokerComm::table_contains(ct, BrokerComm::data("bye"));
 print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(7));
 print BrokerComm::table_size(ct);
 print BrokerComm::table_insert(ct, BrokerComm::data("bye"), BrokerComm::data(37));
 print BrokerComm::table_size(ct);
 print BrokerComm::refine_to_count(BrokerComm::table_lookup(ct, BrokerComm::data("bye")));
 print BrokerComm::table_remove(ct, BrokerComm::data("hi"));
 print BrokerComm::table_size(ct);
 print "***************************";
 local cv = BrokerComm::data(v);
 print comm_vector_to_bro_vector(cv);
 cv = BrokerComm::vector_create();
 print BrokerComm::vector_size(cv);
 print BrokerComm::vector_insert(cv, BrokerComm::data("hi"), 0);
 print BrokerComm::vector_insert(cv, BrokerComm::data("hello"), 1);
 print BrokerComm::vector_insert(cv, BrokerComm::data("greetings"), 2);
 print BrokerComm::vector_insert(cv, BrokerComm::data("salutations"), 1);
 print comm_vector_to_bro_vector(cv);
 print BrokerComm::vector_size(cv);
 print BrokerComm::vector_replace(cv, BrokerComm::data("bah"), 2);
 print BrokerComm::vector_lookup(cv, 2);
 print BrokerComm::vector_lookup(cv, 0);
 print comm_vector_to_bro_vector(cv);
 print BrokerComm::vector_remove(cv, 2);
 print comm_vector_to_bro_vector(cv);
 print BrokerComm::vector_size(cv);
 print "***************************";
 local cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
 r$a = "test";
 cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
 r$b = "testagain";
 cr = BrokerComm::data(r);
 print comm_record_to_bro_record(cr);
 cr = BrokerComm::record_create(3);
 print BrokerComm::record_size(cr);
 print BrokerComm::record_assign(cr, BrokerComm::data("hi"), 0);
 print BrokerComm::record_assign(cr, BrokerComm::data("hello"), 1);
 print BrokerComm::record_assign(cr, BrokerComm::data(37), 2);
 print BrokerComm::record_lookup(cr, 0);
 print BrokerComm::record_lookup(cr, 1);
 print BrokerComm::record_lookup(cr, 2);
 print BrokerComm::record_size(cr);
 }
--- a/testing/btest/core/leaks/broker/master_store.bro
+++ b/testing/btest/core/leaks/broker/master_store.bro
@ -8,7 +8,7 @@
 redef exit_only_after_terminate = T;
-global h: opaque of Store::Handle;
+global h: opaque of BrokerStore::Handle;
 global lookup_count = 0;
 const lookup_expect_count = 5;
 global exists_count = 0;
@ -20,13 +20,13 @@ global test_size: event(where: string &default = "");
 event test_clear()
 	{
-	Store::clear(h);
+	BrokerStore::clear(h);
 	event test_size("after clear");
 	}
 event test_size(where: string)
 	{
-	when ( local res = Store::size(h) )
+	when ( local res = BrokerStore::size(h) )
 		{
 		if ( where == "" )
 			{
@ -45,7 +45,7 @@ event test_size(where: string)
 event test_keys()
 	{
-	when ( local res = Store::keys(h) )
+	when ( local res = BrokerStore::keys(h) )
 		{
 		print fmt("keys: %s", res);
 		event test_size();
@ -56,7 +56,7 @@ event test_keys()
 event test_pop(key: string)
 	{
-	when ( local lres = Store::pop_left(h, Comm::data(key)) )
+	when ( local lres = BrokerStore::pop_left(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_left(%s): %s", key, lres);
 		++pop_count;
@ -67,7 +67,7 @@ event test_pop(key: string)
 	timeout 10sec
 		{ print "timeout"; }
-	when ( local rres = Store::pop_right(h, Comm::data(key)) )
+	when ( local rres = BrokerStore::pop_right(h, BrokerComm::data(key)) )
 		{
 		print fmt("pop_right(%s): %s", key, rres);
 		++pop_count;
@ -81,7 +81,7 @@ event test_pop(key: string)
 function do_exists(key: string)
 	{
-	when ( local res = Store::exists(h, Comm::data(key)) )
+	when ( local res = BrokerStore::exists(h, BrokerComm::data(key)) )
 		{
 		print fmt("exists(%s): %s", key, res);
 		++exists_count;
@ -95,7 +95,7 @@ function do_exists(key: string)
 event test_erase()
 	{
-	Store::erase(h, Comm::data("two"));
+	BrokerStore::erase(h, BrokerComm::data("two"));
 	do_exists("one");
 	do_exists("two");
 	do_exists("myset");
@ -104,7 +104,7 @@ event test_erase()
 function do_lookup(key: string)
 	{
-	when ( local res = Store::lookup(h, Comm::data(key)) )
+	when ( local res = BrokerStore::lookup(h, BrokerComm::data(key)) )
 		{
 		print fmt("lookup(%s): %s", key, res);
 		++lookup_count;
@ -116,9 +116,9 @@ function do_lookup(key: string)
 		{ print "timeout"; }
 	}
-function dv(d: Comm::Data): Comm::DataVector
+function dv(d: BrokerComm::Data): BrokerComm::DataVector
 	{
-	local rval: Comm::DataVector;
+	local rval: BrokerComm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
@ -127,8 +127,8 @@ global did_it = F;
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
-	h = Store::create_master("master");
+	h = BrokerStore::create_master("master");
 	}
 event new_connection(c: connection)
@ -137,16 +137,16 @@ event new_connection(c: connection)
 	did_it = T;
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Store::insert(h, Comm::data("one"), Comm::data(110));
+	BrokerStore::insert(h, BrokerComm::data("one"), BrokerComm::data(110));
-	Store::insert(h, Comm::data("two"), Comm::data(223));
+	BrokerStore::insert(h, BrokerComm::data("two"), BrokerComm::data(223));
-	Store::insert(h, Comm::data("myset"), Comm::data(myset));
+	BrokerStore::insert(h, BrokerComm::data("myset"), BrokerComm::data(myset));
-	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
+	BrokerStore::insert(h, BrokerComm::data("myvec"), BrokerComm::data(myvec));
-	Store::increment(h, Comm::data("one"));
+	BrokerStore::increment(h, BrokerComm::data("one"));
-	Store::decrement(h, Comm::data("two"));
+	BrokerStore::decrement(h, BrokerComm::data("two"));
-	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
+	BrokerStore::add_to_set(h, BrokerComm::data("myset"), BrokerComm::data("d"));
-	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
+	BrokerStore::remove_from_set(h, BrokerComm::data("myset"), BrokerComm::data("b"));
-	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
+	BrokerStore::push_left(h, BrokerComm::data("myvec"), dv(BrokerComm::data("delta")));
-	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
+	BrokerStore::push_right(h, BrokerComm::data("myvec"), dv(BrokerComm::data("omega")));
 	do_lookup("one");
 	do_lookup("two");
 	do_lookup("myset");
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@ -20,10 +20,10 @@ global auto_event_handler: event(msg: string, c: count);
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_events("bro/event/");
+	BrokerComm::subscribe_to_events("bro/event/");
-	Comm::auto_event("bro/event/my_topic", auto_event_handler);
+	BrokerComm::auto_event("bro/event/my_topic", auto_event_handler);
 	}
 global event_count = 0;
@ -41,8 +41,8 @@ event event_handler(msg: string, n: count)
 		}
 	event auto_event_handler(msg, n);
-	local args = Comm::event_args(event_handler, "pong", n);
+	local args = BrokerComm::event_args(event_handler, "pong", n);
-	Comm::event("bro/event/my_topic", args);
+	BrokerComm::event("bro/event/my_topic", args);
 	}
@TEST-END-FILE
@ -57,24 +57,24 @@ global auto_event_handler: event(msg: string, c: count);
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
-	Comm::subscribe_to_events("bro/event/my_topic");
+	BrokerComm::subscribe_to_events("bro/event/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 global event_count = 0;
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	local args = Comm::event_args(event_handler, "ping", event_count);
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-	Comm::event("bro/event/hi", args);
+	BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
@ -83,8 +83,8 @@ event Comm::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = Comm::event_args(event_handler, "ping", event_count);
+	local args = BrokerComm::event_args(event_handler, "ping", event_count);
-    Comm::event("bro/event/hi", args);
+    BrokerComm::event("bro/event/hi", args);
 	++event_count;
 	}
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@ -29,7 +29,7 @@ export {
 event bro_init() &priority=5
 	{
-	Comm::enable();
+	BrokerComm::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
 	}
@ -42,8 +42,8 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_logs("bro/log/");
+	BrokerComm::subscribe_to_logs("bro/log/");
 	}
 event Test::log_test(rec: Test::Info)
@ -63,8 +63,8 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
-	Comm::enable_remote_logs(Test::LOG);
+	BrokerComm::enable_remote_logs(Test::LOG);
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 global n = 0;
@ -81,15 +81,15 @@ event do_write()
 		}
 	}
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
 	event do_write();
 	}
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@ -17,16 +17,16 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
-	Comm::listen(broker_port, "127.0.0.1");
+	BrokerComm::listen(broker_port, "127.0.0.1");
-	Comm::subscribe_to_prints("bro/print/");
+	BrokerComm::subscribe_to_prints("bro/print/");
 	}
 global messages_to_recv = 6;
 global messages_sent = 0;
 global messages_recv = 0;
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
@ -37,7 +37,7 @@ event Comm::print_handler(msg: string)
 		return;
 		}
-	Comm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	BrokerComm::print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
@ -50,35 +50,35 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
-	Comm::enable();
+	BrokerComm::enable();
-	Comm::subscribe_to_prints("bro/print/my_topic");
+	BrokerComm::subscribe_to_prints("bro/print/my_topic");
-	Comm::connect("127.0.0.1", broker_port, 1secs);
+	BrokerComm::connect("127.0.0.1", broker_port, 1secs);
 	}
 global messages_sent = 0;
 global messages_recv = 0;
 global peer_disconnected = F;
-event Comm::outgoing_connection_established(peer_address: string,
+event BrokerComm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
-	print "Comm::outgoing_connection_established", peer_address, peer_port;
+	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
-event Comm::outgoing_connection_broken(peer_address: string,
+event BrokerComm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
 	}
-event Comm::print_handler(msg: string)
+event BrokerComm::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	Comm::print("bro/print/hi", fmt("ping %d", messages_sent));
+	BrokerComm::print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
--- a/testing/btest/core/leaks/comm/clone_store.bro
+++ b/testing/btest/core/leaks/comm/clone_store.bro
@ -1,113 +0,0 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leak
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
 # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
@TEST-START-FILE clone.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 global h: opaque of Store::Handle;
 global expected_key_count = 4;
 global key_count = 0;
 function do_lookup(key: string)
 	{
 	when ( local res = Store::lookup(h, Comm::data(key)) )
 		{
 		++key_count;
 		print "lookup", key, res;
 		if ( key_count == expected_key_count )
 			terminate();
 		}
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event ready()
 	{
 	h = Store::create_clone("mystore");
 	when ( local res = Store::keys(h) )
 		{
 		print "clone keys", res;
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 1)));
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 2)));
 		do_lookup(Comm::refine_to_string(Comm::vector_lookup(res$result, 3)));
 		}
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event bro_init()
 	{
 	Comm::enable();
 	Comm::listen(broker_port, "127.0.0.1");
 	Comm::subscribe_to_events("bro/event/ready");
 	}
@TEST-END-FILE
@TEST-START-FILE master.bro
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 global h: opaque of Store::Handle;
 function dv(d: Comm::Data): Comm::DataVector
 	{
 	local rval: Comm::DataVector;
 	rval[0] = d;
 	return rval;
 	}
 global ready: event();
 event Comm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
 	}
 event Comm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
 	local myset: set[string] = {"a", "b", "c"};
 	local myvec: vector of string = {"alpha", "beta", "gamma"};
 	Store::insert(h, Comm::data("one"), Comm::data(110));
 	Store::insert(h, Comm::data("two"), Comm::data(223));
 	Store::insert(h, Comm::data("myset"), Comm::data(myset));
 	Store::insert(h, Comm::data("myvec"), Comm::data(myvec));
 	Store::increment(h, Comm::data("one"));
 	Store::decrement(h, Comm::data("two"));
 	Store::add_to_set(h, Comm::data("myset"), Comm::data("d"));
 	Store::remove_from_set(h, Comm::data("myset"), Comm::data("b"));
 	Store::push_left(h, Comm::data("myvec"), dv(Comm::data("delta")));
 	Store::push_right(h, Comm::data("myvec"), dv(Comm::data("omega")));
 	when ( local res = Store::size(h) )
 		{ event ready(); }
 	timeout 10sec
 		{ print "timeout"; }
 	}
 event bro_init()
 	{
 	Comm::enable();
 	h = Store::create_master("mystore");
 	Comm::connect("127.0.0.1", broker_port, 1secs);
 	Comm::auto_event("bro/event/ready", ready);
 	}
@TEST-END-FILE
--- a/testing/btest/core/leaks/comm/data.bro
+++ b/testing/btest/core/leaks/comm/data.bro
@ -1,233 +0,0 @@
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff bro/.stdout
 type bro_set: set[string];
 type bro_table: table[string] of count;
 type bro_vector: vector of string;
 type bro_record : record {
 	a: string &optional;
 	b: string &default = "bee";
 	c: count;
 };
 function comm_record_to_bro_record_recurse(it: opaque of Comm::RecordIterator,
                                           rval: bro_record,
                                           idx: count): bro_record
 	{
 	if ( Comm::record_iterator_last(it) )
 		return rval;
 	local field_value = Comm::record_iterator_value(it);
 	if ( field_value?$d )
 		switch ( idx ) {
 		case 0:
 			rval$a = Comm::refine_to_string(field_value);
 			break;
 		case 1:
 			rval$b = Comm::refine_to_string(field_value);
 			break;
 		case 2:
 			rval$c = Comm::refine_to_count(field_value);
 			break;
 		};
 	++idx;
 	Comm::record_iterator_next(it);
 	return comm_record_to_bro_record_recurse(it, rval, idx);
 	}
 function comm_record_to_bro_record(d: Comm::Data): bro_record
 	{
 	return comm_record_to_bro_record_recurse(Comm::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 function
 comm_set_to_bro_set_recurse(it: opaque of Comm::SetIterator,
                            rval: bro_set): bro_set
 	{
 	if ( Comm::set_iterator_last(it) )
 		return rval;
 	add rval[Comm::refine_to_string(Comm::set_iterator_value(it))];
 	Comm::set_iterator_next(it);
 	return comm_set_to_bro_set_recurse(it, rval);
 	}
 function comm_set_to_bro_set(d: Comm::Data): bro_set
 	{
 	return comm_set_to_bro_set_recurse(Comm::set_iterator(d), bro_set());
 	}
 function
 comm_table_to_bro_table_recurse(it: opaque of Comm::TableIterator,
                                rval: bro_table): bro_table
 	{
 	if ( Comm::table_iterator_last(it) )
 		return rval;
 	local item = Comm::table_iterator_value(it);
 	rval[Comm::refine_to_string(item$key)] = Comm::refine_to_count(item$val);
 	Comm::table_iterator_next(it);
 	return comm_table_to_bro_table_recurse(it, rval);
 	}
 function comm_table_to_bro_table(d: Comm::Data): bro_table
 	{
 	return comm_table_to_bro_table_recurse(Comm::table_iterator(d),
 	                                       bro_table());
 	}
 function comm_vector_to_bro_vector_recurse(it: opaque of Comm::VectorIterator,
                                           rval: bro_vector): bro_vector
 	{
 	if ( Comm::vector_iterator_last(it) )
 		return rval;
 	rval[|rval|] = Comm::refine_to_string(Comm::vector_iterator_value(it));
 	Comm::vector_iterator_next(it);
 	return comm_vector_to_bro_vector_recurse(it, rval);
 	}
 function comm_vector_to_bro_vector(d: Comm::Data): bro_vector
 	{
 	return comm_vector_to_bro_vector_recurse(Comm::vector_iterator(d),
 	                                         bro_vector());
 	}
 event bro_init()
 	{
 Comm::enable();
 	}
 global did_it = F;
 event new_connection(c: connection)
 	{
 if ( did_it ) return;
 did_it = T;
 print Comm::data_type(Comm::data(T));
 print Comm::data_type(Comm::data(+1));
 print Comm::data_type(Comm::data(1));
 print Comm::data_type(Comm::data(1.1));
 print Comm::data_type(Comm::data("1 (how creative)"));
 print Comm::data_type(Comm::data(1.1.1.1));
 print Comm::data_type(Comm::data(1.1.1.1/1));
 print Comm::data_type(Comm::data(1/udp));
 print Comm::data_type(Comm::data(double_to_time(1)));
 print Comm::data_type(Comm::data(1sec));
 print Comm::data_type(Comm::data(Comm::BOOL));
 local s: bro_set = bro_set("one", "two", "three");
 local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
 local v: bro_vector = bro_vector("zero", "one", "two");
 local r: bro_record = bro_record($c = 1);
 print Comm::data_type(Comm::data(s));
 print Comm::data_type(Comm::data(t));
 print Comm::data_type(Comm::data(v));
 print Comm::data_type(Comm::data(r));
 print "***************************";
 print Comm::refine_to_bool(Comm::data(T));
 print Comm::refine_to_bool(Comm::data(F));
 print Comm::refine_to_int(Comm::data(+1));
 print Comm::refine_to_int(Comm::data(+0));
 print Comm::refine_to_int(Comm::data(-1));
 print Comm::refine_to_count(Comm::data(1));
 print Comm::refine_to_count(Comm::data(0));
 print Comm::refine_to_double(Comm::data(1.1));
 print Comm::refine_to_double(Comm::data(-11.1));
 print Comm::refine_to_string(Comm::data("hello"));
 print Comm::refine_to_addr(Comm::data(1.2.3.4));
 print Comm::refine_to_subnet(Comm::data(192.168.1.1/16));
 print Comm::refine_to_port(Comm::data(22/tcp));
 print Comm::refine_to_time(Comm::data(double_to_time(42)));
 print Comm::refine_to_interval(Comm::data(3min));
 print Comm::refine_to_enum_name(Comm::data(Comm::BOOL));
 print "***************************";
 local cs = Comm::data(s);
 print comm_set_to_bro_set(cs);
 cs = Comm::set_create();
 print Comm::set_size(cs);
 print Comm::set_insert(cs, Comm::data("hi"));
 print Comm::set_size(cs);
 print Comm::set_contains(cs, Comm::data("hi"));
 print Comm::set_contains(cs, Comm::data("bye"));
 print Comm::set_insert(cs, Comm::data("bye"));
 print Comm::set_size(cs);
 print Comm::set_remove(cs, Comm::data("hi"));
 print Comm::set_size(cs);
 print Comm::set_remove(cs, Comm::data("hi"));
 print comm_set_to_bro_set(cs);
 Comm::set_clear(cs);
 print Comm::set_size(cs);
 print "***************************";
 local ct = Comm::data(t);
 print comm_table_to_bro_table(ct);
 ct = Comm::table_create();
 print Comm::table_size(ct);
 print Comm::table_insert(ct, Comm::data("hi"), Comm::data(42));
 print Comm::table_size(ct);
 print Comm::table_contains(ct, Comm::data("hi"));
 print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("hi")));
 print Comm::table_contains(ct, Comm::data("bye"));
 print Comm::table_insert(ct, Comm::data("bye"), Comm::data(7));
 print Comm::table_size(ct);
 print Comm::table_insert(ct, Comm::data("bye"), Comm::data(37));
 print Comm::table_size(ct);
 print Comm::refine_to_count(Comm::table_lookup(ct, Comm::data("bye")));
 print Comm::table_remove(ct, Comm::data("hi"));
 print Comm::table_size(ct);
 print "***************************";
 local cv = Comm::data(v);
 print comm_vector_to_bro_vector(cv);
 cv = Comm::vector_create();
 print Comm::vector_size(cv);
 print Comm::vector_insert(cv, Comm::data("hi"), 0);
 print Comm::vector_insert(cv, Comm::data("hello"), 1);
 print Comm::vector_insert(cv, Comm::data("greetings"), 2);
 print Comm::vector_insert(cv, Comm::data("salutations"), 1);
 print comm_vector_to_bro_vector(cv);
 print Comm::vector_size(cv);
 print Comm::vector_replace(cv, Comm::data("bah"), 2);
 print Comm::vector_lookup(cv, 2);
 print Comm::vector_lookup(cv, 0);
 print comm_vector_to_bro_vector(cv);
 print Comm::vector_remove(cv, 2);
 print comm_vector_to_bro_vector(cv);
 print Comm::vector_size(cv);
 print "***************************";
 local cr = Comm::data(r);
 print comm_record_to_bro_record(cr);
 r$a = "test";
 cr = Comm::data(r);
 print comm_record_to_bro_record(cr);
 r$b = "testagain";
 cr = Comm::data(r);
 print comm_record_to_bro_record(cr);
 cr = Comm::record_create(3);
 print Comm::record_size(cr);
 print Comm::record_assign(cr, Comm::data("hi"), 0);
 print Comm::record_assign(cr, Comm::data("hello"), 1);
 print Comm::record_assign(cr, Comm::data(37), 2);
 print Comm::record_lookup(cr, 0);
 print Comm::record_lookup(cr, 1);
 print Comm::record_lookup(cr, 2);
 print Comm::record_size(cr);
 }
--- a/testing/btest/scripts/policy/frameworks/files/extract-all.bro
+++ b/testing/btest/scripts/policy/frameworks/files/extract-all.bro
@ -0,0 +1,2 @@
 # @TEST-EXEC: bro -r $TRACES/http/get.trace frameworks/files/extract-all-files
 # @TEST-EXEC: grep -q EXTRACT files.log
--- a/testing/btest/scripts/policy/protocols/http/header-names.bro
+++ b/testing/btest/scripts/policy/protocols/http/header-names.bro
@ -0,0 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
@load protocols/http/header-names
 redef HTTP::log_server_header_names=T;
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-cluster.bro
@ -0,0 +1,37 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-1 bro %INPUT"
 # @TEST-EXEC: btest-bg-run proxy-2   "cp ../cluster-layout.bro . && CLUSTER_NODE=proxy-2 bro %INPUT"
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT"
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/missing-intermediate.pcap %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat manager-1/ssl*.log > ssl.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-file-ids btest-diff ssl.log
 #
 redef Log::default_rotation_interval = 0secs;
@TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
 	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
 	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")],
 	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
 	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
 	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"],
 };
@TEST-END-FILE
 event terminate_me() {
 	terminate();
 }
 event remote_connection_closed(p: event_peer) {
 	schedule 1sec { terminate_me() };
 }
@load base/frameworks/cluster
@load protocols/ssl/validate-certs.bro
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs-no-cache.bro
@ -0,0 +1,6 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl.log
@load protocols/ssl/validate-certs.bro
 redef SSL::ssl_cache_intermediate_ca = F;
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
@ -1,4 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: bro -C -r $TRACES/tls/missing-intermediate.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-x509-names btest-diff ssl-all.log
-@load protocols/ssl/validate-certs
+@load protocols/ssl/validate-certs.bro
		`@ -1,3 +0,0 @@`

			`See doc/install/install.rst for installation instructions.`
		`@ -1 +1 @@`
			`Subproject commit 762d2722290ca0004d0da2b0b96baea6a3a7f3f4`				`Subproject commit 71c86d87ffd1750278a185ecff0ba5f5ae8fcf6e`
		`@ -1 +1 @@`
			`Subproject commit 1a49b0e3d23fdfe8da3187dddb310883b641e4a3`				`Subproject commit 1a2ab9ee7c80ca905e86a2a11283e7c0477341a9`
		`@ -1 +1 @@`
			`Subproject commit 71d820e9d8ca753fea8fb34ea3987993b28d79e4`				`Subproject commit 172e0559ec508c86abb81b371ee28e79130faec6`
		`@ -0,0 +1 @@`
							`BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp`
		`@ -1 +0,0 @@`
			`Comm::outgoing_connection_established, 127.0.0.1, 9999/tcp`
		`@ -0,0 +1,2 @@`
							`# @TEST-EXEC: bro -r $TRACES/http/get.trace frameworks/files/extract-all-files`
							`# @TEST-EXEC: grep -q EXTRACT files.log`