Merge remote-tracking branch 'origin/topic/jsiwek/plist-and-event-cleanup'

* origin/topic/jsiwek/plist-and-event-cleanup: Add comments to QueueEvent() and ConnectionEvent() Add methods to queue events without handler existence check Cleanup/improve PList usage and Event API
2025-10-02 14:48:21 +00:00 · 2019-05-01 08:28:14 -07:00 · 2019-05-01 08:28:14 -07:00 · 29d9b5b554
commit 29d9b5b554
parent 9a461d26e4 c67da0a3cb
109 changed files with 2080 additions and 1850 deletions
--- a/34
+++ b/34
@ -1,4 +1,38 @@
 2.6-255 | 2019-05-01 08:38:49 -0700
  * Add methods to queue events without handler existence check
    Added ConnectionEventFast() and QueueEventFast() methods to avoid
    redundant event handler existence checks.
    It's common practice for caller to already check for event handler
    existence before doing all the work of constructing the arguments, so
    it's desirable to not have to check for existence again.
    E.g. going through ConnectionEvent() means 3 existence checks:
    one you do yourself before calling it, one in ConnectionEvent(), and then
    another in QueueEvent().
    The existence check itself can be more than a few operations sometimes
    as it needs to check a few flags that determine if it's enabled, has
    a local body, or has any remote receivers in the old comm. system or
    has been flagged as something to publish in the new comm. system. (Jon Siwek, Corelight)
  * Cleanup/improve PList usage and Event API
    Majority of PLists are now created as automatic/stack objects,
    rather than on heap and initialized either with the known-capacity
    reserved upfront or directly from an initializer_list (so there's no
    wasted slack in the memory that gets allocated for lists containing
    a fixed/known number of elements).
    Added versions of the ConnectionEvent/QueueEvent methods that take
    a val_list by value.
    Added a move ctor/assign-operator to Plists to allow passing them
    around without having to copy the underlying array of pointers. (Jon Siwek, Corelight)
 2.6-250 | 2019-04-29 18:09:29 -0700
  * Remove 'dns_resolver' option, replace w/ ZEEK_DNS_RESOLVER env. var. (Jon Siwek, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-2.6-250
+2.6-255
--- a/aux/bifcl
+++ b/aux/bifcl
@ -1 +1 @@
-Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f
+Subproject commit 7a375f0749f2bc28083863ff7ec44f3fba3510fa
--- a/src/Anon.cc
+++ b/src/Anon.cc
@ -415,10 +415,10 @@ void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
 	{
 	if ( anonymization_mapping )
 		{
-		val_list* vl = new val_list;
+		mgr.QueueEventFast(anonymization_mapping, {
-		vl->append(new AddrVal(input));
+			new AddrVal(input),
-		vl->append(new AddrVal(output));
+			new AddrVal(output)
-		mgr.QueueEvent(anonymization_mapping, vl);
+		});
 		}
 	}
--- a/src/Attr.cc
+++ b/src/Attr.cc
@ -141,7 +141,7 @@ Attributes::~Attributes()
 void Attributes::AddAttr(Attr* attr)
 	{
 	if ( ! attrs )
-		attrs = new attr_list;
+		attrs = new attr_list(1);
 	if ( ! attr->RedundantAttrOkay() )
 		// We overwrite old attributes by deleting them first.
--- a/src/BroList.h
+++ b/src/BroList.h
@ -13,10 +13,6 @@ class ID;
 declare(PList,ID);
 typedef PList(ID) id_list;
 class HashKey;
 declare(PList,HashKey);
 typedef PList(HashKey) hash_key_list;
 class Val;
 declare(PList,Val);
 typedef PList(Val) val_list;
@ -29,28 +25,12 @@ class BroType;
 declare(PList,BroType);
 typedef PList(BroType) type_list;
 class TypeDecl;
 declare(PList,TypeDecl);
 typedef PList(TypeDecl) type_decl_list;
 class Case;
 declare(PList,Case);
 typedef PList(Case) case_list;
 class Attr;
 declare(PList,Attr);
 typedef PList(Attr) attr_list;
 class Scope;
 declare(PList,Scope);
 typedef PList(Scope) scope_list;
 class Timer;
 declare(PList,Timer);
 typedef PList(Timer) timer_list;
 class DNS_Mgr_Request;
 declare(PList,DNS_Mgr_Request);
 typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
 #endif
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -325,12 +325,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
 		// and at this stage it's not a *multiple* instance.
 		return;
-	val_list* vl = new val_list;
+	ConnectionEventFast(e, 0, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(val_mgr->GetBool(is_orig));
+		val_mgr->GetBool(is_orig),
-	vl->append(val_mgr->GetCount(threshold));
+		val_mgr->GetCount(threshold)
-
+	});
 	ConnectionEvent(e, 0, vl);
 	}
 void Connection::DeleteTimer(double /* t */)
@ -390,9 +389,7 @@ void Connection::EnableStatusUpdateTimer()
 void Connection::StatusUpdateTimer(double t)
 	{
-	val_list* vl = new val_list(1);
+	ConnectionEventFast(connection_status_update, 0, { BuildConnVal() });
 	vl->append(BuildConnVal());
 	ConnectionEvent(connection_status_update, 0, vl);
 	ADD_TIMER(&Connection::StatusUpdateTimer,
 			network_time + connection_status_update_interval, 0,
 			TIMER_CONN_STATUS_UPDATE);
@ -630,23 +627,23 @@ int Connection::VersionFoundEvent(const IPAddr& addr, const char* s, int len,
 		{
 		if ( software_parse_error )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(software_parse_error, analyzer, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(new AddrVal(addr));
+				new AddrVal(addr),
-			vl->append(new StringVal(len, s));
+				new StringVal(len, s),
-			ConnectionEvent(software_parse_error, analyzer, vl);
+			});
 			}
 		return 0;
 		}
 	if ( software_version_found )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(software_version_found, 0, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new AddrVal(addr));
+			new AddrVal(addr),
-		vl->append(val);
+			val,
-		vl->append(new StringVal(len, s));
+			new StringVal(len, s),
-		ConnectionEvent(software_version_found, 0, vl);
+		});
 		}
 	else
 		Unref(val);
@ -669,11 +666,11 @@ int Connection::UnparsedVersionFoundEvent(const IPAddr& addr,
 	if ( software_unparsed_version_found )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(software_unparsed_version_found, analyzer, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new AddrVal(addr));
+			new AddrVal(addr),
-		vl->append(new StringVal(len, full));
+			new StringVal(len, full),
-		ConnectionEvent(software_unparsed_version_found, analyzer, vl);
+		});
 		}
 	return 1;
@ -684,12 +681,11 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
 	if ( ! f )
 		return;
 	val_list* vl = new val_list(2);
 	if ( name )
-		vl->append(new StringVal(name));
+		ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()});
-	vl->append(BuildConnVal());
+	else
 		ConnectionEventFast(f, analyzer, {BuildConnVal()});
 	ConnectionEvent(f, analyzer, vl);
 	}
 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -701,33 +697,42 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
 		return;
 		}
 	val_list* vl = new val_list(3);
 	vl->append(BuildConnVal());
 	vl->append(v1);
 	if ( v2 )
-		vl->append(v2);
+		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2});
-
+	else
-	ConnectionEvent(f, analyzer, vl);
+		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1});
 	}
-void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
+void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
 	if ( ! f )
 		{
 		// This may actually happen if there is no local handler
 		// and a previously existing remote handler went away.
-		loop_over_list(*vl, i)
+		loop_over_list(vl, i)
-			Unref((*vl)[i]);
+			Unref(vl[i]);
-		delete vl;
+
 		return;
 		}
 	// "this" is passed as a cookie for the event
-	mgr.QueueEvent(f, vl, SOURCE_LOCAL,
+	mgr.QueueEvent(f, std::move(vl), SOURCE_LOCAL,
 			a ? a->GetID() : 0, GetTimerMgr(), this);
 	}
 void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
 	// "this" is passed as a cookie for the event
 	mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL,
 			a ? a->GetID() : 0, GetTimerMgr(), this);
 	}
 void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
 	{
 	ConnectionEvent(f, a, std::move(*vl));
 	delete vl;
 	}
 void Connection::Weird(const char* name, const char* addl)
 	{
 	weird = 1;
@ -1055,12 +1060,12 @@ void Connection::CheckFlowLabel(bool is_orig, uint32 flow_label)
 		if ( connection_flow_label_changed &&
 		     (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
 			{
-			val_list* vl = new val_list(4);
+			ConnectionEventFast(connection_flow_label_changed, 0, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(is_orig));
+				val_mgr->GetBool(is_orig),
-			vl->append(val_mgr->GetCount(my_flow_label));
+				val_mgr->GetCount(my_flow_label),
-			vl->append(val_mgr->GetCount(flow_label));
+				val_mgr->GetCount(flow_label),
-			ConnectionEvent(connection_flow_label_changed, 0, vl);
+			});
 			}
 		my_flow_label = flow_label;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -174,11 +174,42 @@ public:
 	int UnparsedVersionFoundEvent(const IPAddr& addr,
 			const char* full_descr, int len, analyzer::Analyzer* analyzer);
 	// If a handler exists for 'f', an event will be generated.  If 'name' is
 	// given that event's first argument will be it, and it's second will be
 	// the connection value.  If 'name' is null, then the event's first
 	// argument is the connection value.
 	void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name = 0);
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// 'v1' and 'v2' reference counts get decremented.  The event's first
 	// argument is the connection value, second argument is 'v1', and if 'v2'
 	// is given that will be it's third argument.
 	void Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2 = 0);
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// reference count for each element in the 'vl' list are decremented.  The
 	// arguments used for the event are whatevever is provided in 'vl'.
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);
 	// Same as ConnectionEvent, except taking the event's argument list via a
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' and also for decrementing the reference count
 	// of each of its elements.
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list* vl);
 	// Queues an event without first checking if there's any available event
 	// handlers (or remote consumes).  If it turns out there's actually nothing
 	// that will consume the event, then this may leak memory due to failing to
 	// decrement the reference count of each element in 'vl'.  i.e. use this
 	// function instead of ConnectionEvent() if you've already guarded against
 	// the case where there's no handlers (one usually also does that because
 	// it would be a waste of effort to construct all the event arguments when
 	// there's no handlers to consume them).
 	void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);
 	void Weird(const char* name, const char* addl = "");
 	bool DidWeird() const	{ return weird != 0; }
--- a/src/DFA.h
+++ b/src/DFA.h
@ -111,9 +111,6 @@ private:
 	PDict(CacheEntry) states;
 };
 declare(PList,DFA_State);
 typedef PList(DFA_State) DFA_state_list;
 class DFA_Machine : public BroObj {
 public:
 	DFA_Machine(NFA_Machine* n, EquivClass* ec);
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -699,25 +699,27 @@ int DNS_Mgr::Save()
 	return 1;
 	}
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
 	{
 	if ( ! e )
 		return;
 	mgr.QueueEventFast(e, {BuildMappingVal(dm)});
 	}
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2)
 	{
 	if ( ! e )
 		return;
 	val_list* vl = new val_list;
 	vl->append(BuildMappingVal(dm));
 	if ( l1 )
 		{
 		vl->append(l1->ConvertToSet());
 		if ( l2 )
 			vl->append(l2->ConvertToSet());
 	Unref(l1);
 	Unref(l2);
 		}
-	mgr.QueueEvent(e, vl);
+	mgr.QueueEventFast(e, {
 		BuildMappingVal(dm),
 		l1->ConvertToSet(),
 		l2->ConvertToSet(),
 	});
 	}
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@ -725,10 +727,10 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
 	if ( ! e )
 		return;
-	val_list* vl = new val_list;
+	mgr.QueueEventFast(e, {
-	vl->append(BuildMappingVal(old_dm));
+		BuildMappingVal(old_dm),
-	vl->append(BuildMappingVal(new_dm));
+		BuildMappingVal(new_dm),
-	mgr.QueueEvent(e, vl);
+	});
 	}
 Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@ -9,7 +9,7 @@
 #include <utility>
 #include "util.h"
-#include "BroList.h"
+#include "List.h"
 #include "Dict.h"
 #include "EventHandler.h"
 #include "iosource/IOSource.h"
@ -23,6 +23,9 @@ class EventHandler;
 class RecordType;
 class DNS_Mgr_Request;
 declare(PList,DNS_Mgr_Request);
 typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
 struct nb_dns_info;
 struct nb_dns_result;
@ -96,8 +99,8 @@ protected:
 	friend class LookupCallback;
 	friend class DNS_Mgr_Request;
-	void Event(EventHandlerPtr e, DNS_Mapping* dm,
+	void Event(EventHandlerPtr e, DNS_Mapping* dm);
-			ListVal* l1 = 0, ListVal* l2 = 0);
+	void Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2);
 	void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
 	Val* BuildMappingVal(DNS_Mapping* dm);
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -33,12 +33,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	if ( check_ip )
 		{
-		val_list* args = new val_list;
+		val_list args{ip->BuildPktHdrVal()};
 		args->append(ip->BuildPktHdrVal());
 		try
 			{
-			discard_packet = check_ip->Call(args)->AsBool();
+			discard_packet = check_ip->Call(&args)->AsBool();
 			}
 		catch ( InterpreterException& e )
@ -46,8 +45,6 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			discard_packet = false;
 			}
 		delete args;
 		if ( discard_packet )
 			return discard_packet;
 		}
@ -88,21 +85,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct tcphdr* tp = (const struct tcphdr*) data;
 			int th_len = tp->th_off * 4;
-			val_list* args = new val_list;
+			val_list args{
-			args->append(ip->BuildPktHdrVal());
+				ip->BuildPktHdrVal(),
-			args->append(BuildData(data, th_len, len, caplen));
+				BuildData(data, th_len, len, caplen),
 			};
 			try
 				{
-				discard_packet = check_tcp->Call(args)->AsBool();
+				discard_packet = check_tcp->Call(&args)->AsBool();
 				}
 			catch ( InterpreterException& e )
 				{
 				discard_packet = false;
 				}
 			delete args;
 			}
 		}
@ -113,21 +109,20 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct udphdr* up = (const struct udphdr*) data;
 			int uh_len = sizeof (struct udphdr);
-			val_list* args = new val_list;
+			val_list args{
-			args->append(ip->BuildPktHdrVal());
+				ip->BuildPktHdrVal(),
-			args->append(BuildData(data, uh_len, len, caplen));
+				BuildData(data, uh_len, len, caplen),
 			};
 			try
 				{
-				discard_packet = check_udp->Call(args)->AsBool();
+				discard_packet = check_udp->Call(&args)->AsBool();
 				}
 			catch ( InterpreterException& e )
 				{
 				discard_packet = false;
 				}
 			delete args;
 			}
 		}
@ -137,20 +132,17 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			{
 			const struct icmp* ih = (const struct icmp*) data;
-			val_list* args = new val_list;
+			val_list args{ip->BuildPktHdrVal()};
 			args->append(ip->BuildPktHdrVal());
 			try
 				{
-				discard_packet = check_icmp->Call(args)->AsBool();
+				discard_packet = check_icmp->Call(&args)->AsBool();
 				}
 			catch ( InterpreterException& e )
 				{
 				discard_packet = false;
 				}
 			delete args;
 			}
 		}
--- a/src/Event.cc
+++ b/src/Event.cc
@ -13,28 +13,27 @@ EventMgr mgr;
 uint64 num_events_queued = 0;
 uint64 num_events_dispatched = 0;
 Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
 		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
 		BroObj* arg_obj)
 	: handler(arg_handler),
 	  args(std::move(arg_args)),
 	  src(arg_src),
 	  aid(arg_aid),
 	  mgr(arg_mgr ? arg_mgr : timer_mgr),
 	  obj(arg_obj),
 	  next_event(nullptr)
 	{
 	if ( obj )
 		Ref(obj);
 	}
 Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
 		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
 		BroObj* arg_obj)
 	: Event(arg_handler, std::move(*arg_args), arg_src, arg_aid, arg_mgr, arg_obj)
 	{
-	handler = arg_handler;
+	delete arg_args;
 	args = arg_args;
 	src = arg_src;
 	mgr = arg_mgr ? arg_mgr : timer_mgr; // default is global
 	aid = arg_aid;
 	obj = arg_obj;
 	if ( obj )
 		Ref(obj);
 	next_event = 0;
 	}
 Event::~Event()
 	{
 	// We don't Unref() the individual arguments by using delete_vals()
 	// here, because Func::Call already did that.
 	delete args;
 	}
 void Event::Describe(ODesc* d) const
@ -49,7 +48,7 @@ void Event::Describe(ODesc* d) const
 	if ( ! d->IsBinary() )
 		d->Add("(");
-	describe_vals(args, d);
+	describe_vals(&args, d);
 	if ( ! d->IsBinary() )
 		d->Add("(");
 	}
@ -62,7 +61,7 @@ void Event::Dispatch(bool no_remote)
 	if ( event_serializer )
 		{
 		SerialInfo info(event_serializer);
-		event_serializer->Serialize(&info, handler->Name(), args);
+		event_serializer->Serialize(&info, handler->Name(), &args);
 		}
 	if ( handler->ErrorHandler() )
@ -70,7 +69,7 @@ void Event::Dispatch(bool no_remote)
 	try
 		{
-		handler->Call(args, no_remote);
+		handler->Call(&args, no_remote);
 		}
 	catch ( InterpreterException& e )
@ -129,7 +128,7 @@ void EventMgr::QueueEvent(Event* event)
 void EventMgr::Drain()
 	{
 	if ( event_queue_flush_point )
-		QueueEvent(event_queue_flush_point, new val_list());
+		QueueEventFast(event_queue_flush_point, val_list{});
 	SegmentProfiler(segment_logger, "draining-events");
--- a/src/Event.h
+++ b/src/Event.h
@ -11,12 +11,17 @@
 class EventMgr;
 // We don't Unref() the individual arguments by using delete_vals()
 // in a dtor because Func::Call already does that.
 class Event : public BroObj {
 public:
 	Event(EventHandlerPtr handler, val_list args,
 		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
 	Event(EventHandlerPtr handler, val_list* args,
 		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
 	~Event() override;
 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }
@ -25,7 +30,7 @@ public:
 	analyzer::ID Analyzer() const	{ return aid; }
 	TimerMgr* Mgr() const		{ return mgr; }
 	EventHandlerPtr Handler() const	{ return handler; }
-	val_list* Args() const	{ return args; }
+	const val_list* Args() const	{ return &args; }
 	void Describe(ODesc* d) const override;
@ -37,7 +42,7 @@ protected:
 	void Dispatch(bool no_remote = false);
 	EventHandlerPtr handler;
-	val_list* args;
+	val_list args;
 	SourceID src;
 	analyzer::ID aid;
 	TimerMgr* mgr;
@ -53,14 +58,50 @@ public:
 	EventMgr();
 	~EventMgr() override;
-	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
+	// Queues an event without first checking if there's any available event
 	// handlers (or remote consumers).  If it turns out there's actually
 	// nothing that will consume the event, then this may leak memory due to
 	// failing to decrement the reference count of each element in 'vl'.  i.e.
 	// use this function instead of QueueEvent() if you've already guarded
 	// against the case where there's no handlers (one usually also does that
 	// because it would be a waste of effort to construct all the event
 	// arguments when there's no handlers to consume them).
 	void QueueEventFast(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
 		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
 		}
 	// Queues an event if there's an event handler (or remote consumer).  This
 	// function always takes ownership of decrementing the reference count of
 	// each element of 'vl', even if there's no event handler.  If you've
 	// checked for event handler existence, you may wish to call
 	// QueueEventFast() instead of this function to prevent the redundant
 	// existence check.
 	void QueueEvent(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
 		if ( h )
-			QueueEvent(new Event(h, vl, src, aid, mgr, obj));
+			QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
 		else
-			delete_vals(vl);
+			{
 			loop_over_list(vl, i)
 				Unref(vl[i]);
 			}
 		}
 	// Same as QueueEvent, except taking the event's argument list via a
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' as well as decrementing the reference count of
 	// each of its elements.
 	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
 		QueueEvent(h, std::move(*vl), src, aid, mgr, obj);
 		delete vl;
 		}
 	void Dispatch(Event* event, bool no_remote = false)
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@ -172,11 +172,10 @@ void EventHandler::NewEvent(val_list* vl)
 		vargs->Assign(i, rec);
 		}
-	val_list* mvl = new val_list(2);
+	Event* ev = new Event(new_event, {
-	mvl->append(new StringVal(name));
+		new StringVal(name),
-	mvl->append(vargs);
+		vargs,
-
+	});
 	Event* ev = new Event(new_event, mvl);
 	mgr.Dispatch(ev);
 	}
--- a/src/EventRegistry.cc
+++ b/src/EventRegistry.cc
@ -73,7 +73,7 @@ EventRegistry::string_list* EventRegistry::UsedHandlers()
 EventRegistry::string_list* EventRegistry::AllHandlers()
 	{
-	string_list* names = new string_list;
+	string_list* names = new string_list(handlers.Length());
 	IterCookie* c = handlers.InitForIteration();
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -2565,7 +2565,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 		if ( attrs )
 			{
-			attr_copy = new attr_list;
+			attr_copy = new attr_list(attrs->length());
 			loop_over_list(*attrs, i)
 				attr_copy->append((*attrs)[i]);
 			}
@ -2634,7 +2634,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 				if ( sce->Attrs() )
 					{
 					attr_list* a = sce->Attrs()->Attrs();
-					attrs = new attr_list;
+					attrs = new attr_list(a->length());
 					loop_over_list(*a, i)
 						attrs->append((*a)[i]);
 					}
@ -3467,9 +3467,9 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 	// Spin through the list, which should be comprised only of
 	// record-field-assign expressions, and build up a
 	// record type to associate with this constructor.
 	type_decl_list* record_types = new type_decl_list;
 	const expr_list& exprs = constructor_list->Exprs();
 	type_decl_list* record_types = new type_decl_list(exprs.length());
 	loop_over_list(exprs, i)
 		{
 		Expr* e = exprs[i];
@ -4469,11 +4469,12 @@ bool FlattenExpr::DoUnserialize(UnserialInfo* info)
 ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
 				double t, TimerMgr* arg_tmgr)
-: Timer(t, TIMER_SCHEDULE)
+	: Timer(t, TIMER_SCHEDULE),
 	  event(arg_event),
 	  args(std::move(*arg_args)),
 	  tmgr(arg_tmgr)
 	{
-	event = arg_event;
+	delete arg_args;
 	args = arg_args;
 	tmgr = arg_tmgr;
 	}
 ScheduleTimer::~ScheduleTimer()
@ -4482,7 +4483,7 @@ ScheduleTimer::~ScheduleTimer()
 void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
 	{
-	mgr.QueueEvent(event, args, SOURCE_LOCAL, 0, tmgr);
+	mgr.QueueEvent(event, std::move(args), SOURCE_LOCAL, 0, tmgr);
 	}
 ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event)
@ -4998,7 +4999,8 @@ Val* EventExpr::Eval(Frame* f) const
 		return 0;
 	val_list* v = eval_list(f, args);
-	mgr.QueueEvent(handler, v);
+	mgr.QueueEvent(handler, std::move(*v));
 	delete v;
 	return 0;
 	}
@ -5128,7 +5130,7 @@ BroType* ListExpr::InitType() const
 	if ( exprs[0]->IsRecordElement(0) )
 		{
-		type_decl_list* types = new type_decl_list;
+		type_decl_list* types = new type_decl_list(exprs.length());
 		loop_over_list(exprs, i)
 			{
 			TypeDecl* td = new TypeDecl(0, 0);
--- a/src/Expr.h
+++ b/src/Expr.h
@ -937,7 +937,7 @@ public:
 protected:
 	EventHandlerPtr event;
-	val_list* args;
+	val_list args;
 	TimerMgr* tmgr;
 };
--- a/src/File.cc
+++ b/src/File.cc
@ -65,10 +65,8 @@ void RotateTimer::Dispatch(double t, int is_expire)
 		{
 		if ( raise )
 			{
 			val_list* vl = new val_list;
 			Ref(file);
-			vl->append(new Val(file));
+			mgr.QueueEvent(rotate_interval, {new Val(file)});
 			mgr.QueueEvent(rotate_interval, vl);
 			}
 		file->InstallRotateTimer();
@ -641,19 +639,15 @@ void BroFile::CloseCachedFiles()
 		// Send final rotate events (immediately).
 		if ( f->rotate_interval )
 			{
 			val_list* vl = new val_list;
 			Ref(f);
-			vl->append(new Val(f));
+			Event* event = new Event(::rotate_interval, {new Val(f)});
 			Event* event = new Event(::rotate_interval, vl);
 			mgr.Dispatch(event, true);
 			}
 		if ( f->rotate_size )
 			{
 			val_list* vl = new val_list;
 			Ref(f);
-			vl->append(new Val(f));
+			Event* event = new ::Event(::rotate_size, {new Val(f)});
 			Event* event = new ::Event(::rotate_size, vl);
 			mgr.Dispatch(event, true);
 			}
@ -801,9 +795,7 @@ int BroFile::Write(const char* data, int len)
 	if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )
 		{
-		val_list* vl = new val_list;
+		mgr.QueueEvent(::rotate_size, {new Val(this)});
 		vl->append(new Val(this));
 		mgr.QueueEvent(::rotate_size, vl);
 		}
 	// This does not work if we seek around. But none of the logs does that
@ -818,10 +810,8 @@ void BroFile::RaiseOpenEvent()
 	if ( ! ::file_opened )
 		return;
 	val_list* vl = new val_list;
 	Ref(this);
-	vl->append(new Val(this));
+	Event* event = new ::Event(::file_opened, {new Val(this)});
 	Event* event = new ::Event(::file_opened, vl);
 	mgr.Dispatch(event, true);
 	}
--- a/src/ID.cc
+++ b/src/ID.cc
@ -258,8 +258,7 @@ void ID::MakeDeprecated()
 	if ( IsDeprecated() )
 		return;
-	attr_list* attr = new attr_list;
+	attr_list* attr = new attr_list{new Attr(ATTR_DEPRECATED)};
 	attr->append(new Attr(ATTR_DEPRECATED));
 	AddAttrs(new Attributes(attr, Type(), false));
 	}
@ -305,8 +304,7 @@ void ID::SetOption()
 	// option implied redefinable
 	if ( ! IsRedefinable() )
 		{
-		attr_list* attr = new attr_list;
+		attr_list* attr = new attr_list{new Attr(ATTR_REDEF)};
 		attr->append(new Attr(ATTR_REDEF));
 		AddAttrs(new Attributes(attr, Type(), false));
 		}
 	}
--- a/src/List.cc
+++ b/src/List.cc
@ -12,11 +12,13 @@
 BaseList::BaseList(int size)
 	{
 	num_entries = 0;
 	max_entries = 0;
 	entry = 0;
 	if ( size <= 0 )
 		{
 		max_entries = 0;
 		entry = 0;
 		return;
 		}
 	max_entries = size;
@ -24,7 +26,7 @@ BaseList::BaseList(int size)
 	}
-BaseList::BaseList(BaseList& b)
+BaseList::BaseList(const BaseList& b)
 	{
 	max_entries = b.max_entries;
 	num_entries = b.num_entries;
@ -38,17 +40,33 @@ BaseList::BaseList(BaseList& b)
 		entry[i] = b.entry[i];
 	}
 BaseList::BaseList(BaseList&& b)
 	{
 	entry = b.entry;
 	num_entries = b.num_entries;
 	max_entries = b.max_entries;
 	b.entry = 0;
 	b.num_entries = b.max_entries = 0;
 	}
 BaseList::BaseList(const ent* arr, int n)
 	{
 	num_entries = max_entries = n;
 	entry = (ent*) safe_malloc(max_entries * sizeof(ent));
 	memcpy(entry, arr, n * sizeof(ent));
 	}
 void BaseList::sort(list_cmp_func cmp_func)
 	{
 	qsort(entry, num_entries, sizeof(ent), cmp_func);
 	}
-void BaseList::operator=(BaseList& b)
+BaseList& BaseList::operator=(const BaseList& b)
 	{
 	if ( this == &b )
-		return;	// i.e., this already equals itself
+		return *this;
 	if ( entry )
 	free(entry);
 	max_entries = b.max_entries;
@ -61,6 +79,23 @@ void BaseList::operator=(BaseList& b)
 	for ( int i = 0; i < num_entries; ++i )
 		entry[i] = b.entry[i];
 	return *this;
 	}
 BaseList& BaseList::operator=(BaseList&& b)
 	{
 	if ( this == &b )
 		return *this;
 	free(entry);
 	entry = b.entry;
 	num_entries = b.num_entries;
 	max_entries = b.max_entries;
 	b.entry = 0;
 	b.num_entries = b.max_entries = 0;
 	return *this;
 	}
 void BaseList::insert(ent a)
@ -144,13 +179,9 @@ ent BaseList::get()
 void BaseList::clear()
 	{
 	if ( entry )
 	{
 	free(entry);
 	entry = 0;
 		}
 	num_entries = max_entries = 0;
 	}
--- a/src/List.h
+++ b/src/List.h
@ -20,6 +20,8 @@
 //	Entries must be either a pointer to the data or nonzero data with
 //	sizeof(data) <= sizeof(void*).
 #include <initializer_list>
 #include <utility>
 #include <stdarg.h>
 #include "util.h"
@ -28,8 +30,6 @@ typedef int (*list_cmp_func)(const void* v1, const void* v2);
 class BaseList {
 public:
 	~BaseList()		{ clear(); }
 	void clear();		// remove all entries
 	int length() const	{ return num_entries; }
 	int max() const		{ return max_entries; }
@ -41,8 +41,14 @@ public:
 		{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
 protected:
 	~BaseList()		{ free(entry); }
 	explicit BaseList(int = 0);
-	BaseList(BaseList&);
+	BaseList(const BaseList&);
 	BaseList(BaseList&&);
 	BaseList(const ent* arr, int n);
 	BaseList& operator=(const BaseList&);
 	BaseList& operator=(BaseList&&);
 	void insert(ent);	// add at head of list
@ -75,7 +81,29 @@ protected:
 			return entry[i];
 		}
-	void operator=(BaseList&);
+	// This could essentially be an std::vector if we wanted.  Some
 	// reasons to maybe not refactor to use std::vector ?
 	//
 	//  - Harder to use a custom growth factor.  Also, the growth
 	//    factor would be implementation-specific, taking some control over
 	//    performance out of our hands.
 	//
 	//  - It won't ever take advantage of realloc's occasional ability to
 	//    grow in-place.
 	//
 	//  - Combine above point this with lack of control of growth
 	//    factor means the common choice of 2x growth factor causes
 	//    a growth pattern that crawls forward in memory with no possible
 	//    re-use of previous chunks (the new capacity is always larger than
 	//    all previously allocated chunks combined).  This point and
 	//    whether 2x is empirically an issue still seems debated (at least
 	//    GCC seems to stand by 2x as empirically better).
 	//
 	//  - Sketchy shrinking behavior: standard says that requests to
 	//    shrink are non-binding (it's expected implementations heed, but
 	//    still not great to have no guarantee).  Also, it would not take
 	//    advantage of realloc's ability to contract in-place, it would
 	//    allocate-and-copy.
 	ent* entry;
 	int max_entries;
@ -103,10 +131,13 @@ struct List(type) : BaseList						\
 	explicit List(type)(type ...);						\
 	List(type)() : BaseList(0) {}					\
 	explicit List(type)(int sz) : BaseList(sz) {}				\
-	List(type)(List(type)& l) : BaseList((BaseList&)l) {}		\
+	List(type)(const List(type)& l) : BaseList(l) {}		\
 	List(type)(List(type)&& l) : BaseList(std::move(l)) {}		\
 									\
-	void operator=(List(type)& l)					\
+	List(type)& operator=(const List(type)& l)					\
-		{ BaseList::operator=((BaseList&)l); }			\
+		{ return (List(type)&) BaseList::operator=(l); }			\
 	List(type)& operator=(List(type)&& l)					\
 		{ return (List(type)&) BaseList::operator=(std::move(l)); }			\
 	void insert(type a)	{ BaseList::insert(ent(a)); }		\
 	void sortedinsert(type a, list_cmp_func cmp_func)		\
 		{ BaseList::sortedinsert(ent(a), cmp_func); }		\
@ -144,10 +175,14 @@ struct PList(type) : BaseList						\
 	explicit PList(type)(type* ...);						\
 	PList(type)() : BaseList(0) {}					\
 	explicit PList(type)(int sz) : BaseList(sz) {}				\
-	PList(type)(PList(type)& l) : BaseList((BaseList&)l) {}		\
+	PList(type)(const PList(type)& l) : BaseList(l) {}		\
 	PList(type)(PList(type)&& l) : BaseList(std::move(l)) {}		\
 	PList(type)(std::initializer_list<type*> il) : BaseList((const ent*)il.begin(), il.size()) {}		\
 									\
-	void operator=(PList(type)& l)					\
+	PList(type)& operator=(const PList(type)& l)					\
-		{ BaseList::operator=((BaseList&)l); }			\
+		{ return (PList(type)&) BaseList::operator=(l); }			\
 	PList(type)& operator=(PList(type)&& l)					\
 		{ return (PList(type)&) BaseList::operator=(std::move(l)); }			\
 	void insert(type* a)	{ BaseList::insert(ent(a)); }		\
 	void sortedinsert(type* a, list_cmp_func cmp_func)		\
 		{ BaseList::sortedinsert(ent(a), cmp_func); }		\
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@ -201,7 +201,8 @@ void PersistenceSerializer::RaiseFinishedSendState()
 void PersistenceSerializer::GotEvent(const char* name, double time,
 					EventHandlerPtr event, val_list* args)
 	{
-	mgr.QueueEvent(event, args);
+	mgr.QueueEvent(event, std::move(*args));
 	delete args;
 	}
 void PersistenceSerializer::GotFunctionCall(const char* name, double time,
--- a/src/RE.h
+++ b/src/RE.h
@ -229,9 +229,6 @@ protected:
 	Specific_RE_Matcher* re_exact;
 };
 declare(PList, RE_Matcher);
 typedef PList(RE_Matcher) re_matcher_list;
 extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2);
 extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2);
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@ -1435,7 +1435,9 @@ void RemoteSerializer::Process()
 			break;
 		BufferedEvent* be = events[0];
-		::Event* event = new ::Event(be->handler, be->args, be->src);
+		::Event* event = new ::Event(be->handler, std::move(*be->args), be->src);
 		delete be->args;
 		be->args = nullptr;
 		Peer* old_current_peer = current_peer;
 		// Prevent the source peer from getting the event back.
@ -2260,14 +2262,14 @@ bool RemoteSerializer::ProcessPongMsg()
 	ping_args* args = (ping_args*) current_args->data;
-	val_list* vl = new val_list;
+	mgr.QueueEvent(remote_pong, {
-	vl->append(current_peer->val->Ref());
+		current_peer->val->Ref(),
-	vl->append(val_mgr->GetCount((unsigned int) ntohl(args->seq)));
+		val_mgr->GetCount((unsigned int) ntohl(args->seq)),
-	vl->append(new Val(current_time(true) - ntohd(args->time1),
+		new Val(current_time(true) - ntohd(args->time1),
-				TYPE_INTERVAL));
+					TYPE_INTERVAL),
-	vl->append(new Val(ntohd(args->time2), TYPE_INTERVAL));
+		new Val(ntohd(args->time2), TYPE_INTERVAL),
-	vl->append(new Val(ntohd(args->time3), TYPE_INTERVAL));
+		new Val(ntohd(args->time3), TYPE_INTERVAL)
-	mgr.QueueEvent(remote_pong, vl);
+	});
 	return true;
 	}
@ -3006,20 +3008,20 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
 	{
 	if ( peer )
 		{
-		val_list* vl = new val_list();
+		mgr.QueueEvent(remote_log_peer, {
-		vl->append(peer->val->Ref());
+			peer->val->Ref(),
-		vl->append(val_mgr->GetCount(level));
+			val_mgr->GetCount(level),
-		vl->append(val_mgr->GetCount(src));
+			val_mgr->GetCount(src),
-		vl->append(new StringVal(msg));
+			new StringVal(msg)
-		mgr.QueueEvent(remote_log_peer, vl);
+		});
 		}
 	else
 		{
-		val_list* vl = new val_list();
+		mgr.QueueEvent(remote_log, {
-		vl->append(val_mgr->GetCount(level));
+			val_mgr->GetCount(level),
-		vl->append(val_mgr->GetCount(src));
+			val_mgr->GetCount(src),
-		vl->append(new StringVal(msg));
+			new StringVal(msg)
-		mgr.QueueEvent(remote_log, vl);
+		});
 		}
 #ifdef DEBUG
@ -3041,27 +3043,27 @@ void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
 void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
 					const char* arg)
 	{
-	val_list* vl = new val_list;
+	val_list vl(1 + (bool)arg);
 	if ( peer )
 		{
 		Ref(peer->val);
-		vl->append(peer->val);
+		vl.append(peer->val);
 		}
 	else
 		{
 		Val* v = mgr.GetLocalPeerVal();
 		v->Ref();
-		vl->append(v);
+		vl.append(v);
 		}
 	if ( arg )
-		vl->append(new StringVal(arg));
+		vl.append(new StringVal(arg));
 	// If we only have remote sources, the network time
 	// will not increase as long as no peers are connected.
 	// Therefore, we send these events immediately.
-	mgr.Dispatch(new Event(event, vl, PEER_LOCAL));
+	mgr.Dispatch(new Event(event, std::move(vl), PEER_LOCAL));
 	}
 void RemoteSerializer::LogStats()
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -216,36 +216,30 @@ void Reporter::Syslog(const char* fmt, ...)
 void Reporter::WeirdHelper(EventHandlerPtr event, Val* conn_val, file_analysis::File* f, const char* addl, const char* fmt_name, ...)
 	{
-	val_list* vl = new val_list(1);
+	val_list vl(2);
 	if ( conn_val )
-		vl->append(conn_val);
+		vl.append(conn_val);
 	else if ( f )
-		vl->append(f->GetVal()->Ref());
+		vl.append(f->GetVal()->Ref());
 	if ( addl )
-		vl->append(new StringVal(addl));
+		vl.append(new StringVal(addl));
 	va_list ap;
 	va_start(ap, fmt_name);
-	DoLog("weird", event, 0, 0, vl, false, false, 0, fmt_name, ap);
+	DoLog("weird", event, 0, 0, &vl, false, false, 0, fmt_name, ap);
 	va_end(ap);
 	delete vl;
 	}
 void Reporter::WeirdFlowHelper(const IPAddr& orig, const IPAddr& resp, const char* fmt_name, ...)
 	{
-	val_list* vl = new val_list(2);
+	val_list vl{new AddrVal(orig), new AddrVal(resp)};
 	vl->append(new AddrVal(orig));
 	vl->append(new AddrVal(resp));
 	va_list ap;
 	va_start(ap, fmt_name);
-	DoLog("weird", flow_weird, 0, 0, vl, false, false, 0, fmt_name, ap);
+	DoLog("weird", flow_weird, 0, 0, &vl, false, false, 0, fmt_name, ap);
 	va_end(ap);
 	delete vl;
 	}
 void Reporter::UpdateWeirdStats(const char* name)
@ -489,29 +483,32 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 	if ( raise_event && event && via_events && ! in_error_handler )
 		{
-		val_list* vl = new val_list;
+		auto vl_size = 1 + (bool)time + (bool)location + (bool)conn +
 		               (addl ? addl->length() : 0);
 		val_list vl(vl_size);
 		if ( time )
-			vl->append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME));
+			vl.append(new Val((bro_start_network_time != 0.0) ? network_time : 0, TYPE_TIME));
-		vl->append(new StringVal(buffer));
+		vl.append(new StringVal(buffer));
 		if ( location )
-			vl->append(new StringVal(loc_str.c_str()));
+			vl.append(new StringVal(loc_str.c_str()));
 		if ( conn )
-			vl->append(conn->BuildConnVal());
+			vl.append(conn->BuildConnVal());
 		if ( addl )
 			{
 			loop_over_list(*addl, i)
-				vl->append((*addl)[i]);
+				vl.append((*addl)[i]);
 			}
 		if ( conn )
-			conn->ConnectionEvent(event, 0, vl);
+			conn->ConnectionEventFast(event, 0, std::move(vl));
 		else
-			mgr.QueueEvent(event, vl);
+			mgr.QueueEventFast(event, std::move(vl));
 		}
 	else
 		{
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@ -17,16 +17,11 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
 	{
 	if ( signature_match )
 		{
-		val_list* vl = new val_list;
+		mgr.QueueEventFast(signature_match, {
-		vl->append(rule_matcher->BuildRuleStateValue(parent, state));
+			rule_matcher->BuildRuleStateValue(parent, state),
-		vl->append(new StringVal(msg));
+			new StringVal(msg),
-
+			data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),
-		if ( data )
+		});
 			vl->append(new StringVal(len, (const char*)data));
 		else
 			vl->append(val_mgr->GetEmptyString());
 		mgr.QueueEvent(signature_match, vl);
 		}
 	}
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -162,7 +162,7 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 		return id->ID_Val()->AsBool();
 	// Call function with a signature_state value as argument.
-	val_list args;
+	val_list args(2);
 	args.append(rule_matcher->BuildRuleStateValue(rule, state));
 	if ( data )
--- a/src/Scope.cc
+++ b/src/Scope.cc
@ -7,6 +7,9 @@
 #include "Scope.h"
 #include "Reporter.h"
 declare(PList,Scope);
 typedef PList(Scope) scope_list;
 static scope_list scopes;
 static Scope* top_scope;
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@ -365,7 +365,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info)
 	d.SetIncludeStats(true);
 	d.SetShort();
-	val_list* args = new val_list;
+	val_list* args = new val_list(len);
 	for ( int i = 0; i < len; ++i )
 		{
 		Val* v = Val::Unserialize(info);
@ -996,7 +996,8 @@ void EventPlayer::GotEvent(const char* name, double time,
 	{
 	ne_time = time;
 	ne_handler = event;
-	ne_args = args;
+	ne_args = std::move(*args);
 	delete args;
 	}
 void EventPlayer::GotFunctionCall(const char* name, double time,
@ -1054,7 +1055,7 @@ void EventPlayer::Process()
 	if ( ! (io && ne_time) )
 		return;
-	Event* event = new Event(ne_handler, ne_args);
+	Event* event = new Event(ne_handler, std::move(ne_args));
 	mgr.Dispatch(event);
 	ne_time = 0;
--- a/src/Serializer.h
+++ b/src/Serializer.h
@ -353,7 +353,7 @@ protected:
 	// Next event waiting to be dispatched.
 	double ne_time;
 	EventHandlerPtr ne_handler;
-	val_list* ne_args;
+	val_list ne_args;
 };
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -171,11 +171,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 	SegmentProfiler(segment_logger, "dispatching-packet");
 	if ( raw_packet )
-		{
+		mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()});
 		val_list* vl = new val_list();
 		vl->append(pkt->BuildPktHdrVal());
 		mgr.QueueEvent(raw_packet, vl);
 		}
 	if ( pkt_profiler )
 		pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -415,11 +411,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		{
 		dump_this_packet = 1;
 		if ( esp_packet )
-			{
+			mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()});
 			val_list* vl = new val_list();
 			vl->append(ip_hdr->BuildPktHdrVal());
 			mgr.QueueEvent(esp_packet, vl);
 			}
 		// Can't do more since upper-layer payloads are going to be encrypted.
 		return;
@ -439,11 +431,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			}
 		if ( mobile_ipv6_message )
-			{
+			mgr.QueueEvent(mobile_ipv6_message, {ip_hdr->BuildPktHdrVal()});
 			val_list* vl = new val_list();
 			vl->append(ip_hdr->BuildPktHdrVal());
 			mgr.QueueEvent(mobile_ipv6_message, vl);
 			}
 		if ( ip_hdr->NextProto() != IPPROTO_NONE )
 			Weird("mobility_piggyback", pkt, encapsulation);
@ -1327,12 +1315,12 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 		{
 		conn->Event(new_connection, 0);
-		if ( external )
+		if ( external && connection_external )
 			{
-			val_list* vl = new val_list(2);
+			conn->ConnectionEventFast(connection_external, 0, {
-			vl->append(conn->BuildConnVal());
+				conn->BuildConnVal(),
-			vl->append(new StringVal(conn->GetTimerMgr()->GetTag().c_str()));
+				new StringVal(conn->GetTimerMgr()->GetTag().c_str()),
-			conn->ConnectionEvent(connection_external, 0, vl);
+			});
 			}
 		}
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@ -192,12 +192,12 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
 	else
 		arg3 = new StringVal("<none>");
-	val_list* args = new val_list;
+	mgr.QueueEvent(remote_state_inconsistency, {
-	args->append(new StringVal(op));
+		new StringVal(op),
-	args->append(arg1);
+		arg1,
-	args->append(arg2);
+		arg2,
-	args->append(arg3);
+		arg3,
-	mgr.QueueEvent(remote_state_inconsistency, args);
+	});
 	return false;
 	}
@ -219,12 +219,12 @@ bool StateAccess::CheckOldSet(const char* op, ID* id, Val* index,
 	Val* arg2 = new StringVal(should ? "set" : "not set");
 	Val* arg3 = new StringVal(is ? "set" : "not set");
-	val_list* args = new val_list;
+	mgr.QueueEvent(remote_state_inconsistency, {
-	args->append(new StringVal(op));
+		new StringVal(op),
-	args->append(arg1);
+		arg1,
-	args->append(arg2);
+		arg2,
-	args->append(arg3);
+		arg3,
-	mgr.QueueEvent(remote_state_inconsistency, args);
+	});
 	return false;
 	}
@ -514,12 +514,12 @@ void StateAccess::Replay()
 					d.SetShort();
 					op1.val->Describe(&d);
-					val_list* args = new val_list;
+					mgr.QueueEvent(remote_state_inconsistency, {
-					args->append(new StringVal("read"));
+						new StringVal("read"),
-					args->append(new StringVal(fmt("%s[%s]", target.id->Name(), d.Description())));
+						new StringVal(fmt("%s[%s]", target.id->Name(), d.Description())),
-					args->append(new StringVal("existent"));
+						new StringVal("existent"),
-					args->append(new StringVal("not existent"));
+						new StringVal("not existent"),
-					mgr.QueueEvent(remote_state_inconsistency, args);
+					});
 					}
 				}
 			}
@ -536,10 +536,10 @@ void StateAccess::Replay()
 	if ( remote_state_access_performed )
 		{
-		val_list* vl = new val_list;
+		mgr.QueueEventFast(remote_state_access_performed, {
-		vl->append(new StringVal(target.id->Name()));
+			new StringVal(target.id->Name()),
-		vl->append(target.id->ID_Val()->Ref());
+			target.id->ID_Val()->Ref(),
-		mgr.QueueEvent(remote_state_access_performed, vl);
+		});
 		}
 	}
@ -943,8 +943,7 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 		}
 	else
 		{
-		attr_list* a = new attr_list;
+		attr_list* a = new attr_list{attr};
 		a->append(attr);
 		id->SetAttrs(new Attributes(a, id->Type(), false));
 		}
--- a/src/Stats.cc
+++ b/src/Stats.cc
@ -310,11 +310,11 @@ void ProfileLogger::Log()
 	// (and for consistency we dispatch it *now*)
 	if ( profiling_update )
 		{
 		val_list* vl = new val_list;
 		Ref(file);
-		vl->append(new Val(file));
+		mgr.Dispatch(new Event(profiling_update, {
-		vl->append(val_mgr->GetBool(expensive));
+			new Val(file),
-		mgr.Dispatch(new Event(profiling_update, vl));
+			val_mgr->GetBool(expensive),
 		}));
 		}
 	}
@ -369,12 +369,12 @@ void SampleLogger::SegmentProfile(const char* /* name */,
 					const Location* /* loc */,
 					double dtime, int dmem)
 	{
-	val_list* vl = new val_list(2);
+	if ( load_sample )
-	vl->append(load_samples->Ref());
+		mgr.QueueEventFast(load_sample, {
-	vl->append(new IntervalVal(dtime, Seconds));
+			load_samples->Ref(),
-	vl->append(val_mgr->GetInt(dmem));
+			new IntervalVal(dtime, Seconds),
-
+			val_mgr->GetInt(dmem)
-	mgr.QueueEvent(load_sample, vl);
+		});
 	}
 void SegmentProfiler::Init()
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -292,13 +292,14 @@ Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
 		if ( print_hook )
 			{
 			val_list* vl = new val_list(2);
 			::Ref(f);
 			vl->append(new Val(f));
 			vl->append(new StringVal(d.Len(), d.Description()));
 			// Note, this doesn't do remote printing.
-			mgr.Dispatch(new Event(print_hook, vl), true);
+			mgr.Dispatch(
 			    new Event(
 			        print_hook,
 			        {new Val(f), new StringVal(d.Len(), d.Description())}),
 			    true);
 			}
 		if ( remote_serializer )
@ -704,7 +705,7 @@ bool Case::DoUnserialize(UnserialInfo* info)
 	if ( ! UNSERIALIZE(&len) )
 		return false;
-	type_cases = new id_list;
+	type_cases = new id_list(len);
 	while ( len-- )
 		{
@ -1198,7 +1199,10 @@ Val* EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	val_list* args = eval_list(f, event_expr->Args());
 	if ( args )
-		mgr.QueueEvent(event_expr->Handler(), args);
+		{
 		mgr.QueueEvent(event_expr->Handler(), std::move(*args));
 		delete args;
 		}
 	flow = FLOW_NEXT;
@ -1633,7 +1637,7 @@ bool ForStmt::DoUnserialize(UnserialInfo* info)
 	if ( ! UNSERIALIZE(&len) )
 		return false;
-	loop_vars = new id_list;
+	loop_vars = new id_list(len);
 	while ( len-- )
 		{
@ -2149,7 +2153,7 @@ bool InitStmt::DoUnserialize(UnserialInfo* info)
 	if ( ! UNSERIALIZE(&len) )
 		return false;
-	inits = new id_list;
+	inits = new id_list(len);
 	while ( len-- )
 		{
--- a/src/Stmt.h
+++ b/src/Stmt.h
@ -213,6 +213,9 @@ protected:
 	Stmt* s;
 };
 declare(PList,Case);
 typedef PList(Case) case_list;
 class SwitchStmt : public ExprStmt {
 public:
 	SwitchStmt(Expr* index, case_list* cases);
--- a/src/Type.cc
+++ b/src/Type.cc
@ -2266,7 +2266,7 @@ BroType* merge_types(const BroType* t1, const BroType* t2)
 		if ( rt1->NumFields() != rt2->NumFields() )
 			return 0;
-		type_decl_list* tdl3 = new type_decl_list;
+		type_decl_list* tdl3 = new type_decl_list(rt1->NumFields());
 		for ( int i = 0; i < rt1->NumFields(); ++i )
 			{
--- a/src/Type.h
+++ b/src/Type.h
@ -460,6 +460,9 @@ public:
 	const char* id;
 };
 declare(PList,TypeDecl);
 typedef PList(TypeDecl) type_decl_list;
 class RecordType : public BroType {
 public:
 	explicit RecordType(type_decl_list* types);
--- a/src/Val.cc
+++ b/src/Val.cc
@ -1861,29 +1861,30 @@ Val* TableVal::Default(Val* index)
 		return def_attr->AttrExpr()->IsConst() ? def_val->Ref() : def_val->Clone();
 	const Func* f = def_val->AsFunc();
-	val_list* vl = new val_list();
+	val_list vl;
 	if ( index->Type()->Tag() == TYPE_LIST )
 		{
 		const val_list* vl0 = index->AsListVal()->Vals();
 		vl = val_list(vl0->length());
 		loop_over_list(*vl0, i)
-			vl->append((*vl0)[i]->Ref());
+			vl.append((*vl0)[i]->Ref());
 		}
 	else
-		vl->append(index->Ref());
+		{
 		vl = val_list{index->Ref()};
 		}
 	Val* result = 0;
 	try
 		{
-		result = f->Call(vl);
+		result = f->Call(&vl);
 		}
 	catch ( InterpreterException& e )
 		{ /* Already reported. */ }
 	delete vl;
 	if ( ! result )
 		{
 		Error("no value returned from &default function");
@ -2423,8 +2424,27 @@ double TableVal::CallExpireFunc(Val* idx)
 		return 0;
 		}
-	val_list* vl = new val_list;
+	double secs = 0;
-	vl->append(Ref());
+
 	try
 		{
 		Val* vf = expire_func->Eval(0);
 		if ( ! vf )
 			{
 			// Will have been reported already.
 			Unref(idx);
 			return 0;
 			}
 		if ( vf->Type()->Tag() != TYPE_FUNC )
 			{
 			vf->Error("not a function");
 			Unref(vf);
 			Unref(idx);
 			return 0;
 			}
 		// Flatten lists of a single element.
 		if ( idx->Type()->Tag() == TYPE_LIST &&
@ -2436,30 +2456,8 @@ double TableVal::CallExpireFunc(Val* idx)
 			Unref(old);
 			}
-	vl->append(idx);
+		val_list vl{Ref(), idx};
-
+		Val* vs = vf->AsFunc()->Call(&vl);
 	double secs = 0;
 	try
 		{
 		Val* vf = expire_func->Eval(0);
 		if ( ! vf )
 			{
 			// Will have been reported already.
 			delete_vals(vl);
 			return 0;
 			}
 		if ( vf->Type()->Tag() != TYPE_FUNC )
 			{
 			Unref(vf);
 			delete_vals(vl);
 			vf->Error("not a function");
 			return 0;
 			}
 		Val* vs = vf->AsFunc()->Call(vl);
 		if ( vs )
 			{
@ -2468,7 +2466,6 @@ double TableVal::CallExpireFunc(Val* idx)
 			}
 		Unref(vf);
 		delete vl;
 		}
 	catch ( InterpreterException& e )
--- a/src/Var.cc
+++ b/src/Var.cc
@ -325,8 +325,7 @@ static void transfer_arg_defaults(RecordType* args, RecordType* recv)
 		if ( ! recv_i->attrs )
 			{
-			attr_list* a = new attr_list();
+			attr_list* a = new attr_list{def};
 			a->append(def);
 			recv_i->attrs = new Attributes(a, recv_i->type, true);
 			}
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@ -662,16 +662,19 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 	if ( protocol_confirmed )
 		return;
 	protocol_confirmed = true;
 	if ( ! protocol_confirmation )
 		return;
 	EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
 	Ref(tval);
-	val_list* vl = new val_list;
+	mgr.QueueEventFast(protocol_confirmation, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(tval);
+		tval,
-	vl->append(val_mgr->GetCount(id));
+		val_mgr->GetCount(id),
-	mgr.QueueEvent(protocol_confirmation, vl);
+	});
 	protocol_confirmed = true;
 	}
 void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -689,15 +692,18 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 	else
 		r = new StringVal(reason);
 	if ( ! protocol_violation )
 		return;
 	EnumVal* tval = tag.AsEnumVal();
 	Ref(tval);
-	val_list* vl = new val_list;
+	mgr.QueueEventFast(protocol_violation, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(tval);
+		tval,
-	vl->append(val_mgr->GetCount(id));
+		val_mgr->GetCount(id),
-	vl->append(r);
+		r,
-	mgr.QueueEvent(protocol_violation, vl);
+	});
 	}
 void Analyzer::AddTimer(analyzer_timer_func timer, double t,
@ -782,6 +788,16 @@ void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
 	conn->ConnectionEvent(f, this, vl);
 	}
 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
 	{
 	conn->ConnectionEvent(f, this, std::move(vl));
 	}
 void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl)
 	{
 	conn->ConnectionEventFast(f, this, std::move(vl));
 	}
 void Analyzer::Weird(const char* name, const char* addl)
 	{
 	conn->Weird(name, addl);
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@ -541,6 +541,18 @@ public:
 	 */
 	void ConnectionEvent(EventHandlerPtr f, val_list* vl);
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
 	void ConnectionEvent(EventHandlerPtr f, val_list vl);
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEventFast().
 	 */
 	void ConnectionEventFast(EventHandlerPtr f, val_list vl);
 	/**
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Weird().
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@ -190,13 +190,13 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
 	if ( ! bad_arp )
 		return;
-	val_list* vl = new val_list;
+	mgr.QueueEventFast(bad_arp, {
-	vl->append(ConstructAddrVal(ar_spa(hdr)));
+		ConstructAddrVal(ar_spa(hdr)),
-	vl->append(EthAddrToStr((const u_char*) ar_sha(hdr)));
+		EthAddrToStr((const u_char*) ar_sha(hdr)),
-	vl->append(ConstructAddrVal(ar_tpa(hdr)));
+		ConstructAddrVal(ar_tpa(hdr)),
-	vl->append(EthAddrToStr((const u_char*) ar_tha(hdr)));
+		EthAddrToStr((const u_char*) ar_tha(hdr)),
-	vl->append(new StringVal(msg));
+		new StringVal(msg),
-	mgr.QueueEvent(bad_arp, vl);
+	});
 	}
 void ARP_Analyzer::Corrupted(const char* msg)
@ -212,18 +212,14 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
 	if ( ! e )
 		return;
-	// init the val_list
+	mgr.QueueEventFast(e, {
-	val_list* vl = new val_list;
+		EthAddrToStr(src),
-
+		EthAddrToStr(dst),
-	// prepare the event arguments
+		ConstructAddrVal(spa),
-	vl->append(EthAddrToStr(src));
+		EthAddrToStr((const u_char*) sha),
-	vl->append(EthAddrToStr(dst));
+		ConstructAddrVal(tpa),
-	vl->append(ConstructAddrVal(spa));
+		EthAddrToStr((const u_char*) tha),
-	vl->append(EthAddrToStr((const u_char*) sha));
+	});
 	vl->append(ConstructAddrVal(tpa));
 	vl->append(EthAddrToStr((const u_char*) tha));
 	mgr.QueueEvent(e, vl);
 	}
 AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
--- a/src/analyzer/protocol/backdoor/BackDoor.cc
+++ b/src/analyzer/protocol/backdoor/BackDoor.cc
@ -246,13 +246,15 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
 	rlogin_checking_done = 1;
-	val_list* vl = new val_list;
+	if ( ! rlogin_signature_found )
-	vl->append(endp->TCP()->BuildConnVal());
+		return;
 	vl->append(val_mgr->GetBool(endp->IsOrig()));
 	vl->append(val_mgr->GetCount(rlogin_num_null));
 	vl->append(val_mgr->GetCount(len));
-	endp->TCP()->ConnectionEvent(rlogin_signature_found, vl);
+	endp->TCP()->ConnectionEventFast(rlogin_signature_found, {
 		endp->TCP()->BuildConnVal(),
 		val_mgr->GetBool(endp->IsOrig()),
 		val_mgr->GetCount(rlogin_num_null),
 		val_mgr->GetCount(len),
 	});
 	}
 void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
@ -338,12 +340,14 @@ void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* d
 void BackDoorEndpoint::TelnetSignatureFound(int len)
 	{
-	val_list* vl = new val_list;
+	if ( ! telnet_signature_found )
-	vl->append(endp->TCP()->BuildConnVal());
+		return;
 	vl->append(val_mgr->GetBool(endp->IsOrig()));
 	vl->append(val_mgr->GetCount(len));
-	endp->TCP()->ConnectionEvent(telnet_signature_found, vl);
+	endp->TCP()->ConnectionEventFast(telnet_signature_found, {
 		endp->TCP()->BuildConnVal(),
 		val_mgr->GetBool(endp->IsOrig()),
 		val_mgr->GetCount(len),
 	});
 	}
 void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
@ -643,13 +647,15 @@ void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
 void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
 	{
-	val_list* vl = new val_list;
+	if ( ! e )
-	vl->append(endp->TCP()->BuildConnVal());
+		return;
 	if ( do_orig )
-		vl->append(val_mgr->GetBool(endp->IsOrig()));
+		endp->TCP()->ConnectionEventFast(e,
 		    {endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())});
-	endp->TCP()->ConnectionEvent(e, vl);
+	else
 		endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()});
 	}
@ -776,20 +782,22 @@ void BackDoor_Analyzer::StatTimer(double t, int is_expire)
 void BackDoor_Analyzer::StatEvent()
 	{
-	val_list* vl = new val_list;
+	if ( ! backdoor_stats )
-	vl->append(TCP()->BuildConnVal());
+		return;
 	vl->append(orig_endp->BuildStats());
 	vl->append(resp_endp->BuildStats());
-	TCP()->ConnectionEvent(backdoor_stats, vl);
+	TCP()->ConnectionEventFast(backdoor_stats, {
 		TCP()->BuildConnVal(),
 		orig_endp->BuildStats(),
 		resp_endp->BuildStats(),
 	});
 	}
 void BackDoor_Analyzer::RemoveEvent()
 	{
-	val_list* vl = new val_list;
+	if ( ! backdoor_remove_conn )
-	vl->append(TCP()->BuildConnVal());
+		return;
-	TCP()->ConnectionEvent(backdoor_remove_conn, vl);
+	TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()});
 	}
 BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@ -120,10 +120,10 @@ void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(bittorrent_peer_weird, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(msg));
+			new StringVal(msg),
-		ConnectionEvent(bittorrent_peer_weird, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@ -247,11 +247,11 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bt_tracker_weird )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(bt_tracker_weird, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(msg));
+			new StringVal(msg),
-		ConnectionEvent(bt_tracker_weird, vl);
+		});
 		}
 	}
@ -346,19 +346,17 @@ void BitTorrentTracker_Analyzer::RequestGet(char* uri)
 void BitTorrentTracker_Analyzer::EmitRequest(void)
 	{
 	val_list* vl;
 	ProtocolConfirmation();
-	vl = new val_list;
+	if ( bt_tracker_request )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(bt_tracker_request, {
-	vl->append(req_val_uri);
+			BuildConnVal(),
-	vl->append(req_val_headers);
+			req_val_uri,
 			req_val_headers,
 		});
 	req_val_uri = 0;
 	req_val_headers = 0;
 	ConnectionEvent(bt_tracker_request, vl);
 	}
 bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
@ -404,11 +402,12 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			{
 			if ( res_status != 200 )
 				{
-				val_list* vl = new val_list;
+				if ( bt_tracker_response_not_ok )
-				vl->append(BuildConnVal());
+					ConnectionEventFast(bt_tracker_response_not_ok, {
-				vl->append(val_mgr->GetCount(res_status));
+						BuildConnVal(),
-				vl->append(res_val_headers);
+						val_mgr->GetCount(res_status),
-				ConnectionEvent(bt_tracker_response_not_ok, vl);
+						res_val_headers,
 					});
 				res_val_headers = 0;
 				res_buf_pos = res_buf + res_buf_len;
 				res_state = BTT_RES_DONE;
@ -790,16 +789,16 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
 	{
 	ProtocolConfirmation();
-	val_list* vl = new val_list;
+	if ( bt_tracker_response )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(bt_tracker_response, {
-	vl->append(val_mgr->GetCount(res_status));
+			BuildConnVal(),
-	vl->append(res_val_headers);
+			val_mgr->GetCount(res_status),
-	vl->append(res_val_peers);
+			res_val_headers,
-	vl->append(res_val_benc);
+			res_val_peers,
 			res_val_benc,
 		});
 	res_val_headers = 0;
 	res_val_peers = 0;
 	res_val_benc = 0;
 	ConnectionEvent(bt_tracker_response, vl);
 	}
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@ -47,11 +47,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool
 	if ( ! f )
 		return;
-	val_list* vl = new val_list;
+	ConnectionEventFast(f, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(val_mgr->GetCount(threshold));
+		val_mgr->GetCount(threshold),
-	vl->append(val_mgr->GetBool(is_orig));
+		val_mgr->GetBool(is_orig),
-	ConnectionEvent(f, vl);
+	});
 	}
 void ConnSize_Analyzer::CheckSizes(bool is_orig)
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -46,13 +46,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	if ( dns_message )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(dns_message, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_query));
+			val_mgr->GetBool(is_query),
-		vl->append(msg.BuildHdrVal());
+			msg.BuildHdrVal(),
-		vl->append(val_mgr->GetCount(len));
+			val_mgr->GetCount(len),
-
+		});
 		analyzer->ConnectionEvent(dns_message, vl);
 		}
 	// There is a great deal of non-DNS traffic that runs on port 53.
@ -133,11 +132,11 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
 	{
-	val_list* vl = new val_list;
+	if ( dns_end )
-
+		analyzer->ConnectionEventFast(dns_end, {
-	vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildHdrVal(),
-	analyzer->ConnectionEvent(dns_end, vl);
+		});
 	return 1;
 	}
@ -336,11 +335,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			if ( dns_unknown_reply && ! msg->skip_event )
 				{
-				val_list* vl = new val_list;
+				analyzer->ConnectionEventFast(dns_unknown_reply, {
-				vl->append(analyzer->BuildConnVal());
+					analyzer->BuildConnVal(),
-				vl->append(msg->BuildHdrVal());
+					msg->BuildHdrVal(),
-				vl->append(msg->BuildAnswerVal());
+					msg->BuildAnswerVal(),
-				analyzer->ConnectionEvent(dns_unknown_reply, vl);
+				});
 				}
 			analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
@ -551,14 +550,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 	if ( reply_event && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(reply_event, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-		vl->append(msg->BuildAnswerVal());
+			new StringVal(new BroString(name, name_end - name, 1)),
-		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+		});
 		analyzer->ConnectionEvent(reply_event, vl);
 		}
 	return 1;
@ -598,14 +595,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 	if ( dns_SOA_reply && ! msg->skip_event )
 		{
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(msg->BuildHdrVal());
 		vl->append(msg->BuildAnswerVal());
 		RecordVal* r = new RecordVal(dns_soa);
 		r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1)));
 		r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1)));
 		r->Assign(2, val_mgr->GetCount(serial));
@ -614,9 +604,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 		r->Assign(5, new IntervalVal(double(expire), Seconds));
 		r->Assign(6, new IntervalVal(double(minimum), Seconds));
-		vl->append(r);
+		analyzer->ConnectionEventFast(dns_SOA_reply, {
-
+			analyzer->BuildConnVal(),
-		analyzer->ConnectionEvent(dns_SOA_reply, vl);
+			msg->BuildHdrVal(),
 			msg->BuildAnswerVal(),
 			r
 		});
 		}
 	return 1;
@ -642,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
 	if ( dns_MX_reply && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_MX_reply, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-		vl->append(msg->BuildAnswerVal());
+			new StringVal(new BroString(name, name_end - name, 1)),
-		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+			val_mgr->GetCount(preference),
-		vl->append(val_mgr->GetCount(preference));
+		});
 		analyzer->ConnectionEvent(dns_MX_reply, vl);
 		}
 	return 1;
@ -687,16 +678,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 	if ( dns_SRV_reply && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_SRV_reply, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildAnswerVal());
+			msg->BuildAnswerVal(),
-		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+			new StringVal(new BroString(name, name_end - name, 1)),
-		vl->append(val_mgr->GetCount(priority));
+			val_mgr->GetCount(priority),
-		vl->append(val_mgr->GetCount(weight));
+			val_mgr->GetCount(weight),
-		vl->append(val_mgr->GetCount(port));
+			val_mgr->GetCount(port),
-
+		});
 		analyzer->ConnectionEvent(dns_SRV_reply, vl);
 		}
 	return 1;
@ -711,12 +701,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
 	if ( dns_EDNS_addl && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_EDNS_addl, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildEDNS_Val(),
-		vl->append(msg->BuildEDNS_Val());
+		});
 		analyzer->ConnectionEvent(dns_EDNS_addl, vl);
 		}
 	// Currently EDNS supports the movement of type:data pairs
@ -778,24 +767,24 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 	unsigned int rr_error = ExtractShort(data, len);
 	ExtractOctets(data, len, 0);  // Other Data
-	msg->tsig = new TSIG_DATA;
+	if ( dns_TSIG_addl )
-
+		{
-	msg->tsig->alg_name =
+		TSIG_DATA tsig;
 		tsig.alg_name =
 			new BroString(alg_name, alg_name_end - alg_name, 1);
-	msg->tsig->sig = request_MAC;
+		tsig.sig = request_MAC;
-	msg->tsig->time_s = sign_time_sec;
+		tsig.time_s = sign_time_sec;
-	msg->tsig->time_ms = sign_time_msec;
+		tsig.time_ms = sign_time_msec;
-	msg->tsig->fudge = fudge;
+		tsig.fudge = fudge;
-	msg->tsig->orig_id = orig_id;
+		tsig.orig_id = orig_id;
-	msg->tsig->rr_error = rr_error;
+		tsig.rr_error = rr_error;
-	val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_TSIG_addl, {
-
+			analyzer->BuildConnVal(),
-	vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildTSIG_Val(&tsig),
-	vl->append(msg->BuildTSIG_Val());
+		});
-
+		}
 	analyzer->ConnectionEvent(dns_TSIG_addl, vl);
 	return 1;
 	}
@ -878,6 +867,8 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 			break;
 	}
 	if ( dns_RRSIG )
 		{
 		RRSIG_DATA rrsig;
 		rrsig.type_covered = type_covered;
 		rrsig.algorithm = algo;
@ -889,14 +880,13 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 		rrsig.signer_name = new BroString(name, name_end - name, 1);
 		rrsig.signature = sign;
-	val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_RRSIG, {
-
+			analyzer->BuildConnVal(),
-	vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildRRSIG_Val(&rrsig),
-	vl->append(msg->BuildRRSIG_Val(&rrsig));
+		});
-
+		}
 	analyzer->ConnectionEvent(dns_RRSIG, vl);
 	return 1;
 	}
@ -977,20 +967,21 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 			break;
 	}
 	if ( dns_DNSKEY )
 		{
 		DNSKEY_DATA dnskey;
 		dnskey.dflags = dflags;
 		dnskey.dalgorithm = dalgorithm;
 		dnskey.dprotocol = dprotocol;
 		dnskey.public_key = key;
-	val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_DNSKEY, {
-
+			analyzer->BuildConnVal(),
-	vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildDNSKEY_Val(&dnskey),
-	vl->append(msg->BuildDNSKEY_Val(&dnskey));
+		});
-
+		}
 	analyzer->ConnectionEvent(dns_DNSKEY, vl);
 	return 1;
 	}
@ -1035,15 +1026,16 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 		typebitmaps_len = typebitmaps_len - (2 + bmlen);
 		}
-	val_list* vl = new val_list;
+	if ( dns_NSEC )
-
+		analyzer->ConnectionEventFast(dns_NSEC, {
-	vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildAnswerVal(),
-	vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+			new StringVal(new BroString(name, name_end - name, 1)),
-	vl->append(char_strings);
+			char_strings,
-
+		});
-	analyzer->ConnectionEvent(dns_NSEC, vl);
+	else
 		Unref(char_strings);
 	return 1;
 	}
@ -1111,6 +1103,8 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		typebitmaps_len = typebitmaps_len - (2 + bmlen);
 		}
 	if ( dns_NSEC3 )
 		{
 		NSEC3_DATA nsec3;
 		nsec3.nsec_flags = nsec_flags;
 		nsec3.nsec_hash_algo = hash_algo;
@ -1121,14 +1115,13 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		nsec3.nsec_hash = hash_val;
 		nsec3.bitmaps = char_strings;
-	val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_NSEC3, {
-
+			analyzer->BuildConnVal(),
-	vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildNSEC3_Val(&nsec3),
-	vl->append(msg->BuildNSEC3_Val(&nsec3));
+		});
-
+		}
 	analyzer->ConnectionEvent(dns_NSEC3, vl);
 	return 1;
 	}
@ -1172,20 +1165,21 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
 			break;
 	}
 	if ( dns_DS )
 		{
 		DS_DATA ds;
 		ds.key_tag = ds_key_tag;
 		ds.algorithm = ds_algo;
 		ds.digest_type = ds_dtype;
 		ds.digest_val = ds_digest;
-	val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_DS, {
-
+			analyzer->BuildConnVal(),
-	vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildDS_Val(&ds),
-	vl->append(msg->BuildDS_Val(&ds));
+		});
-
+		}
 	analyzer->ConnectionEvent(dns_DS, vl);
 	return 1;
 	}
@ -1203,14 +1197,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 	if ( dns_A_reply && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(dns_A_reply, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-		vl->append(msg->BuildAnswerVal());
+			new AddrVal(htonl(addr)),
-		vl->append(new AddrVal(htonl(addr)));
+		});
 		analyzer->ConnectionEvent(dns_A_reply, vl);
 		}
 	return 1;
@ -1242,13 +1234,12 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 		event = dns_A6_reply;
 	if ( event && ! msg->skip_event )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(event, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			msg->BuildHdrVal(),
-		vl->append(msg->BuildHdrVal());
+			msg->BuildAnswerVal(),
-		vl->append(msg->BuildAnswerVal());
+			new AddrVal(addr),
-		vl->append(new AddrVal(addr));
+		});
 		analyzer->ConnectionEvent(event, vl);
 		}
 	return 1;
@ -1317,14 +1308,15 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);
-	val_list* vl = new val_list;
+	if ( dns_TXT_reply )
-
+		analyzer->ConnectionEventFast(dns_TXT_reply, {
-	vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildAnswerVal(),
-	vl->append(char_strings);
+			char_strings,
-
+		});
-	analyzer->ConnectionEvent(dns_TXT_reply, vl);
+	else
 		Unref(char_strings);
 	return rdlength == 0;
 	}
@ -1359,16 +1351,20 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 	data += value->Len();
 	rdlength -= value->Len();
-	val_list* vl = new val_list;
+	if ( dns_CAA_reply )
-
+		analyzer->ConnectionEventFast(dns_CAA_reply, {
-	vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-	vl->append(msg->BuildHdrVal());
+			msg->BuildHdrVal(),
-	vl->append(msg->BuildAnswerVal());
+			msg->BuildAnswerVal(),
-	vl->append(val_mgr->GetCount(flags));
+			val_mgr->GetCount(flags),
-	vl->append(new StringVal(tag));
+			new StringVal(tag),
-	vl->append(new StringVal(value));
+			new StringVal(value),
-
+		});
-	analyzer->ConnectionEvent(dns_CAA_reply, vl);
+	else
 		{
 		delete tag;
 		delete value;
 		}
 	return rdlength == 0;
 	}
@ -1382,14 +1378,14 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 	RR_Type qtype = RR_Type(ExtractShort(data, len));
 	int qclass = ExtractShort(data, len);
-	val_list* vl = new val_list;
+	if ( event )
-	vl->append(analyzer->BuildConnVal());
+		analyzer->ConnectionEventFast(event, {
-	vl->append(msg->BuildHdrVal());
+			analyzer->BuildConnVal(),
-	vl->append(new StringVal(question_name));
+			msg->BuildHdrVal(),
-	vl->append(val_mgr->GetCount(qtype));
+			new StringVal(question_name),
-	vl->append(val_mgr->GetCount(qclass));
+			val_mgr->GetCount(qtype),
-
+			val_mgr->GetCount(qclass),
-	analyzer->ConnectionEvent(event, vl);
+		});
 	}
@ -1423,7 +1419,6 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
 	answer_type = DNS_QUESTION;
 	skip_event = 0;
 	tsig = 0;
 	}
 DNS_MsgInfo::~DNS_MsgInfo()
@ -1502,7 +1497,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
 	return r;
 	}
-Val* DNS_MsgInfo::BuildTSIG_Val()
+Val* DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig)
 	{
 	RecordVal* r = new RecordVal(dns_tsig_additional);
 	double rtime = tsig->time_s + tsig->time_ms / 1000.0;
@ -1519,9 +1514,6 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
 	r->Assign(7, val_mgr->GetCount(tsig->rr_error));
 	r->Assign(8, val_mgr->GetCount(is_query));
 	delete tsig;
 	tsig = 0;
 	return r;
 	}
@ -1737,10 +1729,11 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		{
 		if ( ! interp->ParseMessage(data, len, 1) && non_dns_request )
 			{
-			val_list* vl = new val_list;
+			if ( non_dns_request )
-			vl->append(BuildConnVal());
+				ConnectionEventFast(non_dns_request, {
-			vl->append(new StringVal(len, (const char*) data));
+					BuildConnVal(),
-			ConnectionEvent(non_dns_request, vl);
+					new StringVal(len, (const char*) data),
 				});
 			}
 		}
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@ -182,7 +182,7 @@ public:
 	Val* BuildHdrVal();
 	Val* BuildAnswerVal();
 	Val* BuildEDNS_Val();
-	Val* BuildTSIG_Val();
+	Val* BuildTSIG_Val(struct TSIG_DATA*);
 	Val* BuildRRSIG_Val(struct RRSIG_DATA*);
 	Val* BuildDNSKEY_Val(struct DNSKEY_DATA*);
 	Val* BuildNSEC3_Val(struct NSEC3_DATA*);
@ -214,10 +214,6 @@ public:
 				///< identical answer, there may be problems
 	// uint32* addr;	///< cache value to pass back results
 				///< for forward lookups
 	// More values for spesific DNS types.
 	//struct EDNS_ADDITIONAL* edns;
 	struct TSIG_DATA* tsig;
 };
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@ -77,10 +77,12 @@ void File_Analyzer::Identify()
 	                     &matches);
 	string match = matches.empty() ? "<unknown>"
 	                               : *(matches.begin()->second.begin());
-	val_list* vl = new val_list;
+
-	vl->append(BuildConnVal());
+	if ( file_transferred )
-	vl->append(new StringVal(buffer_len, buffer));
+		ConnectionEventFast(file_transferred, {
-	vl->append(new StringVal("<unknown>"));
+			BuildConnVal(),
-	vl->append(new StringVal(match));
+			new StringVal(buffer_len, buffer),
-	ConnectionEvent(file_transferred, vl);
+			new StringVal("<unknown>"),
 			new StringVal(match),
 		});
 	}
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@ -66,14 +66,15 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		else
 			host = at + 1;
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(val_mgr->GetBool(long_cnt));
 		vl->append(new StringVal(at - line, line));
 		vl->append(new StringVal(end_of_line - host, host));
 		if ( finger_request )
-			ConnectionEvent(finger_request, vl);
+			{
 			ConnectionEventFast(finger_request, {
 				BuildConnVal(),
 				val_mgr->GetBool(long_cnt),
 				new StringVal(at - line, line),
 				new StringVal(end_of_line - host, host),
 			});
 			}
 		Conn()->Match(Rule::FINGER, (const u_char *) line,
 			  end_of_line - line, true, true, 1, true);
@ -86,10 +87,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		if ( ! finger_reply )
 			return;
-		val_list* vl = new val_list;
+		ConnectionEventFast(finger_reply, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new StringVal(end_of_line - line, line));
+			new StringVal(end_of_line - line, line),
-
+		});
 		ConnectionEvent(finger_reply, vl);
 		}
 	}
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -73,8 +73,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		// Could emit "ftp empty request/reply" weird, but maybe not worth it.
 		return;
-	val_list* vl = new val_list;
+	val_list vl;
 	vl->append(BuildConnVal());
 	EventHandlerPtr f;
 	if ( orig )
@ -95,8 +94,11 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		else
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
-		vl->append(cmd_str);
+		vl = val_list{
-		vl->append(new StringVal(end_of_line - line, line));
+			BuildConnVal(),
 			cmd_str,
 			new StringVal(end_of_line - line, line),
 		};
 		f = ftp_request;
 		ProtocolConfirmation();
@ -171,14 +173,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				}
 			}
-		vl->append(val_mgr->GetCount(reply_code));
+		vl = val_list{
-		vl->append(new StringVal(end_of_line - line, line));
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(cont_resp));
+			val_mgr->GetCount(reply_code),
 			new StringVal(end_of_line - line, line),
 			val_mgr->GetBool(cont_resp),
 		};
 		f = ftp_reply;
 		}
-	ConnectionEvent(f, vl);
+	ConnectionEvent(f, std::move(vl));
 	ForwardStream(length, data, orig);
 	}
--- a/src/analyzer/protocol/gnutella/Gnutella.cc
+++ b/src/analyzer/protocol/gnutella/Gnutella.cc
@ -58,16 +58,10 @@ void Gnutella_Analyzer::Done()
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		if ( Established() && gnutella_establish )
-			ConnectionEvent(gnutella_establish, vl);
+			ConnectionEventFast(gnutella_establish, {BuildConnVal()});
 		else if ( ! Established () && gnutella_not_establish )
-			ConnectionEvent(gnutella_not_establish, vl);
+			ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
 		else
 			delete_vals(vl);
 		}
 	if ( gnutella_partial_binary_msg )
@ -78,14 +72,12 @@ void Gnutella_Analyzer::Done()
 			{
 			if ( ! p->msg_sent && p->msg_pos )
 				{
-				val_list* vl = new val_list;
+				ConnectionEventFast(gnutella_partial_binary_msg, {
-
+					BuildConnVal(),
-				vl->append(BuildConnVal());
+					new StringVal(p->msg),
-				vl->append(new StringVal(p->msg));
+					val_mgr->GetBool((i == 0)),
-				vl->append(val_mgr->GetBool((i == 0)));
+					val_mgr->GetCount(p->msg_pos),
-				vl->append(val_mgr->GetCount(p->msg_pos));
+				});
 				ConnectionEvent(gnutella_partial_binary_msg, vl);
 				}
 			else if ( ! p->msg_sent && p->payload_left )
@ -129,10 +121,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
 	if ( gnutella_http_notify )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
 		vl->append(BuildConnVal());
 		ConnectionEvent(gnutella_http_notify, vl);
 		}
 	analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -192,13 +181,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 			{
 			if ( gnutella_text_msg )
 				{
-				val_list* vl = new val_list;
+				ConnectionEventFast(gnutella_text_msg, {
-
+					BuildConnVal(),
-				vl->append(BuildConnVal());
+					val_mgr->GetBool(orig),
-				vl->append(val_mgr->GetBool(orig));
+					new StringVal(ms->headers.data()),
-				vl->append(new StringVal(ms->headers.data()));
+				});
 				ConnectionEvent(gnutella_text_msg, vl);
 				}
 			ms->headers = "";
@ -206,12 +193,9 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 			if ( Established () && gnutella_establish )
 				{
 				val_list* vl = new val_list;
 				sent_establish = 1;
 				vl->append(BuildConnVal());
-				ConnectionEvent(gnutella_establish, vl);
+				ConnectionEventFast(gnutella_establish, {BuildConnVal()});
 				}
 			}
 		}
@ -237,21 +221,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 	if ( gnutella_binary_msg )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(gnutella_binary_msg, {
-
+			BuildConnVal(),
-		vl->append(BuildConnVal());
+			val_mgr->GetBool(is_orig),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetCount(p->msg_type),
-		vl->append(val_mgr->GetCount(p->msg_type));
+			val_mgr->GetCount(p->msg_ttl),
-		vl->append(val_mgr->GetCount(p->msg_ttl));
+			val_mgr->GetCount(p->msg_hops),
-		vl->append(val_mgr->GetCount(p->msg_hops));
+			val_mgr->GetCount(p->msg_len),
-		vl->append(val_mgr->GetCount(p->msg_len));
+			new StringVal(p->payload),
-		vl->append(new StringVal(p->payload));
+			val_mgr->GetCount(p->payload_len),
-		vl->append(val_mgr->GetCount(p->payload_len));
+			val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
-		vl->append(val_mgr->GetBool(
+			val_mgr->GetBool((p->payload_left == 0)),
-		    (p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))));
+		});
 		vl->append(val_mgr->GetBool((p->payload_left == 0)));
 		ConnectionEvent(gnutella_binary_msg, vl);
 		}
 	}
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -646,11 +646,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 	if ( http_message_done )
 		{
-		val_list* vl = new val_list;
+		GetAnalyzer()->ConnectionEventFast(http_message_done, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		vl->append(BuildMessageStat(interrupted, detail));
+			BuildMessageStat(interrupted, detail),
-		GetAnalyzer()->ConnectionEvent(http_message_done, vl);
+		});
 		}
 	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
@ -679,10 +679,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 	if ( http_begin_entity )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(http_begin_entity, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		analyzer->ConnectionEvent(http_begin_entity, vl);
+		});
 		}
 	}
@ -696,10 +696,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	if ( http_end_entity )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(http_end_entity, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		analyzer->ConnectionEvent(http_end_entity, vl);
+		});
 		}
 	current_entity = (HTTP_Entity*) entity->Parent();
@ -737,11 +737,11 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(http_all_headers, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		vl->append(BuildHeaderTable(hlist));
+			BuildHeaderTable(hlist),
-		analyzer->ConnectionEvent(http_all_headers, vl);
+		});
 		}
 	if ( http_content_type )
@ -751,12 +751,12 @@ void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 		ty->Ref();
 		subty->Ref();
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(http_content_type, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		vl->append(ty);
+			ty,
-		vl->append(subty);
+			subty,
-		analyzer->ConnectionEvent(http_content_type, vl);
+		});
 		}
 	}
@ -1182,12 +1182,8 @@ void HTTP_Analyzer::GenStats()
 		r->Assign(2, new Val(request_version, TYPE_DOUBLE));
 		r->Assign(3, new Val(reply_version, TYPE_DOUBLE));
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(r);
 		// DEBUG_MSG("%.6f http_stats\n", network_time);
-		ConnectionEvent(http_stats, vl);
+		ConnectionEventFast(http_stats, {BuildConnVal(), r});
 		}
 	}
@ -1384,13 +1380,12 @@ void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
 	{
 	if ( http_event )
 		{
 		val_list* vl = new val_list();
 		vl->append(BuildConnVal());
 		vl->append(new StringVal(category));
 		vl->append(detail);
 		// DEBUG_MSG("%.6f http_event\n", network_time);
-		ConnectionEvent(http_event, vl);
+		ConnectionEventFast(http_event, {
 			BuildConnVal(),
 			new StringVal(category),
 			detail,
 		});
 		}
 	else
 		delete detail;
@ -1426,17 +1421,16 @@ void HTTP_Analyzer::HTTP_Request()
 	if ( http_request )
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		Ref(request_method);
 		vl->append(request_method);
 		vl->append(TruncateURI(request_URI->AsStringVal()));
 		vl->append(TruncateURI(unescaped_URI->AsStringVal()));
 		vl->append(new StringVal(fmt("%.1f", request_version)));
 		// DEBUG_MSG("%.6f http_request\n", network_time);
-		ConnectionEvent(http_request, vl);
+		ConnectionEventFast(http_request, {
 			BuildConnVal(),
 			request_method,
 			TruncateURI(request_URI->AsStringVal()),
 			TruncateURI(unescaped_URI->AsStringVal()),
 			new StringVal(fmt("%.1f", request_version)),
 		});
 		}
 	}
@ -1444,15 +1438,14 @@ void HTTP_Analyzer::HTTP_Reply()
 	{
 	if ( http_reply )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(http_reply, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new StringVal(fmt("%.1f", reply_version)));
+			new StringVal(fmt("%.1f", reply_version)),
-		vl->append(val_mgr->GetCount(reply_code));
+			val_mgr->GetCount(reply_code),
-		if ( reply_reason_phrase )
+			reply_reason_phrase ?
-			vl->append(reply_reason_phrase->Ref());
+				reply_reason_phrase->Ref() :
-		else
+				new StringVal("<empty>"),
-			vl->append(new StringVal("<empty>"));
+		});
 		ConnectionEvent(http_reply, vl);
 		}
 	else
 		{
@ -1524,10 +1517,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		if ( http_connection_upgrade )
 			{
-			val_list* vl = new val_list();
+			ConnectionEventFast(http_connection_upgrade, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(new StringVal(upgrade_protocol));
+				new StringVal(upgrade_protocol),
-			ConnectionEvent(http_connection_upgrade, vl);
+			});
 			}
 		}
@ -1697,14 +1690,15 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 		Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length,
 				is_orig, false, true, false);
 		val_list* vl = new val_list();
 		vl->append(BuildConnVal());
 		vl->append(val_mgr->GetBool(is_orig));
 		vl->append(mime::new_string_val(h->get_name())->ToUpper());
 		vl->append(mime::new_string_val(h->get_value()));
 		if ( DEBUG_http )
 			DEBUG_MSG("%.6f http_header\n", network_time);
-		ConnectionEvent(http_header, vl);
+
 		ConnectionEventFast(http_header, {
 			BuildConnVal(),
 			val_mgr->GetBool(is_orig),
 			mime::new_string_val(h->get_name())->ToUpper(),
 			mime::new_string_val(h->get_value()),
 		});
 		}
 	}
@ -1833,12 +1827,12 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
 		{
-		val_list* vl = new val_list();
+		ConnectionEventFast(http_entity_data, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		vl->append(val_mgr->GetCount(entity_data->Len()));
+			val_mgr->GetCount(entity_data->Len()),
-		vl->append(new StringVal(entity_data));
+			new StringVal(entity_data),
-		ConnectionEvent(http_entity_data, vl);
+		});
 		}
 	else
 		delete entity_data;
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@ -199,20 +199,21 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
    {
 	if ( icmp_sent )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(icmp_sent, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
+			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
-		ConnectionEvent(icmp_sent, vl);
+		});
 		}
 	if ( icmp_sent_payload )
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(BuildICMPVal(icmpp, len, icmpv6, ip_hdr));
 		BroString* payload = new BroString(data, min(len, caplen), 0);
-		vl->append(new StringVal(payload));
+
-		ConnectionEvent(icmp_sent_payload, vl);
+		ConnectionEventFast(icmp_sent_payload, {
 			BuildConnVal(),
 			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
 			new StringVal(payload),
 		});
 		}
 	}
@ -511,14 +512,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 	BroString* payload = new BroString(data, caplen, 0);
-	val_list* vl = new val_list;
+	ConnectionEventFast(f, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr));
+		BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
-	vl->append(val_mgr->GetCount(iid));
+		val_mgr->GetCount(iid),
-	vl->append(val_mgr->GetCount(iseq));
+		val_mgr->GetCount(iseq),
-	vl->append(new StringVal(payload));
+		new StringVal(payload),
-
+	});
 	ConnectionEvent(f, vl);
 	}
@ -526,6 +526,10 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
 	{
 	EventHandlerPtr f = icmp_router_advertisement;
 	if ( ! f )
 		return;
 	uint32 reachable = 0, retrans = 0;
 	if ( caplen >= (int)sizeof(reachable) )
@ -534,24 +538,23 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 	if ( caplen >= (int)sizeof(reachable) + (int)sizeof(retrans) )
 		memcpy(&retrans, data + sizeof(reachable), sizeof(retrans));
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
 	vl->append(val_mgr->GetCount(icmpp->icmp_num_addrs)); // Cur Hop Limit
 	vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x80)); // Managed
 	vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x40)); // Other
 	vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x20)); // Home Agent
 	vl->append(val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)); // Pref
 	vl->append(val_mgr->GetBool(icmpp->icmp_wpa & 0x04)); // Proxy
 	vl->append(val_mgr->GetCount(icmpp->icmp_wpa & 0x02)); // Reserved
 	vl->append(new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds));
 	vl->append(new IntervalVal((double)ntohl(reachable), Milliseconds));
 	vl->append(new IntervalVal((double)ntohl(retrans), Milliseconds));
 	int opt_offset = sizeof(reachable) + sizeof(retrans);
 	vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
-	ConnectionEvent(f, vl);
+	ConnectionEventFast(f, {
 		BuildConnVal(),
 		BuildICMPVal(icmpp, len, 1, ip_hdr),
 		val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
 		val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
 		val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
 		val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
 		val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
 		val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
 		val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
 		new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
 		new IntervalVal((double)ntohl(reachable), Milliseconds),
 		new IntervalVal((double)ntohl(retrans), Milliseconds),
 		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
 	});
 	}
@ -559,23 +562,26 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
 	{
 	EventHandlerPtr f = icmp_neighbor_advertisement;
 	if ( ! f )
 		return;
 	IPAddr tgtaddr;
 	if ( caplen >= (int)sizeof(in6_addr) )
 		tgtaddr = IPAddr(*((const in6_addr*)data));
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
 	vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)); // Router
 	vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)); // Solicited
 	vl->append(val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)); // Override
 	vl->append(new AddrVal(tgtaddr));
 	int opt_offset = sizeof(in6_addr);
 	vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
-	ConnectionEvent(f, vl);
+	ConnectionEventFast(f, {
 		BuildConnVal(),
 		BuildICMPVal(icmpp, len, 1, ip_hdr),
 		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
 		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
 		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
 		new AddrVal(tgtaddr),
 		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
 	});
 	}
@ -583,20 +589,23 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
 	{
 	EventHandlerPtr f = icmp_neighbor_solicitation;
 	if ( ! f )
 		return;
 	IPAddr tgtaddr;
 	if ( caplen >= (int)sizeof(in6_addr) )
 		tgtaddr = IPAddr(*((const in6_addr*)data));
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
 	vl->append(new AddrVal(tgtaddr));
 	int opt_offset = sizeof(in6_addr);
 	vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
-	ConnectionEvent(f, vl);
+	ConnectionEventFast(f, {
 		BuildConnVal(),
 		BuildICMPVal(icmpp, len, 1, ip_hdr),
 		new AddrVal(tgtaddr),
 		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
 	});
 	}
@ -604,6 +613,10 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr)
 	{
 	EventHandlerPtr f = icmp_redirect;
 	if ( ! f )
 		return;
 	IPAddr tgtaddr, dstaddr;
 	if ( caplen >= (int)sizeof(in6_addr) )
@ -612,16 +625,15 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 	if ( caplen >= 2 * (int)sizeof(in6_addr) )
 		dstaddr = IPAddr(*((const in6_addr*)(data + sizeof(in6_addr))));
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
 	vl->append(new AddrVal(tgtaddr));
 	vl->append(new AddrVal(dstaddr));
 	int opt_offset = 2 * sizeof(in6_addr);
 	vl->append(BuildNDOptionsVal(caplen - opt_offset, data + opt_offset));
-	ConnectionEvent(f, vl);
+	ConnectionEventFast(f, {
 		BuildConnVal(),
 		BuildICMPVal(icmpp, len, 1, ip_hdr),
 		new AddrVal(tgtaddr),
 		new AddrVal(dstaddr),
 		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
 	});
 	}
@ -630,12 +642,14 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 	{
 	EventHandlerPtr f = icmp_router_solicitation;
-	val_list* vl = new val_list;
+	if ( ! f )
-	vl->append(BuildConnVal());
+		return;
 	vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
 	vl->append(BuildNDOptionsVal(caplen, data));
-	ConnectionEvent(f, vl);
+	ConnectionEventFast(f, {
 		BuildConnVal(),
 		BuildICMPVal(icmpp, len, 1, ip_hdr),
 		BuildNDOptionsVal(caplen, data),
 	});
 	}
@ -657,12 +671,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 	if ( f )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(f, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(BuildICMPVal(icmpp, len, 0, ip_hdr));
+			BuildICMPVal(icmpp, len, 0, ip_hdr),
-		vl->append(val_mgr->GetCount(icmpp->icmp_code));
+			val_mgr->GetCount(icmpp->icmp_code),
-		vl->append(ExtractICMP4Context(caplen, data));
+			ExtractICMP4Context(caplen, data),
-		ConnectionEvent(f, vl);
+		});
 		}
 	}
@ -697,12 +711,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 	if ( f )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(f, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(BuildICMPVal(icmpp, len, 1, ip_hdr));
+			BuildICMPVal(icmpp, len, 1, ip_hdr),
-		vl->append(val_mgr->GetCount(icmpp->icmp_code));
+			val_mgr->GetCount(icmpp->icmp_code),
-		vl->append(ExtractICMP6Context(caplen, data));
+			ExtractICMP6Context(caplen, data),
-		ConnectionEvent(f, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@ -83,12 +83,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			Weird("ident_request_addendum", s.CheckString());
 			}
-		val_list* vl = new val_list;
+		ConnectionEventFast(ident_request, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP));
+			val_mgr->GetPort(local_port, TRANSPORT_TCP),
-		vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP));
+			val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-
+		});
 		ConnectionEvent(ident_request, vl);
 		did_deliver = 1;
 		}
@ -144,13 +143,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		if ( is_error )
 			{
-			val_list* vl = new val_list;
+			if ( ident_error )
-			vl->append(BuildConnVal());
+				ConnectionEventFast(ident_error, {
-			vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP));
+					BuildConnVal(),
-			vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP));
+					val_mgr->GetPort(local_port, TRANSPORT_TCP),
-			vl->append(new StringVal(end_of_line - line, line));
+					val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-
+					new StringVal(end_of_line - line, line),
-			ConnectionEvent(ident_error, vl);
+				});
 			}
 		else
@ -178,14 +177,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			line = skip_whitespace(colon + 1, end_of_line);
-			val_list* vl = new val_list;
+			ConnectionEventFast(ident_reply, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetPort(local_port, TRANSPORT_TCP));
+				val_mgr->GetPort(local_port, TRANSPORT_TCP),
-			vl->append(val_mgr->GetPort(remote_port, TRANSPORT_TCP));
+				val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-			vl->append(new StringVal(end_of_line - line, line));
+				new StringVal(end_of_line - line, line),
-			vl->append(new StringVal(sys_type_s));
+				new StringVal(sys_type_s),
-
+			});
 			ConnectionEvent(ident_reply, vl);
 			}
 		}
 	}
--- a/src/analyzer/protocol/imap/imap-analyzer.pac
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@ -43,6 +43,8 @@ refine connection IMAP_Conn += {
 			if ( commands == "ok" )
 				{
 				bro_analyzer()->StartTLS();
 				if ( imap_starttls )
 					BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
 				}
 			else
@ -54,6 +56,9 @@ refine connection IMAP_Conn += {
 	function proc_server_capability(capabilities: Capability[]): bool
 		%{
 		if ( ! imap_capabilities )
 			return true;
 		VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
 		for ( unsigned int i = 0; i< capabilities->size(); i++ )
 			{
--- a/src/analyzer/protocol/interconn/InterConn.cc
+++ b/src/analyzer/protocol/interconn/InterConn.cc
@ -241,20 +241,18 @@ void InterConn_Analyzer::StatTimer(double t, int is_expire)
 void InterConn_Analyzer::StatEvent()
 	{
-	val_list* vl = new val_list;
+	if ( interconn_stats )
-	vl->append(Conn()->BuildConnVal());
+		Conn()->ConnectionEventFast(interconn_stats, this, {
-	vl->append(orig_endp->BuildStats());
+			Conn()->BuildConnVal(),
-	vl->append(resp_endp->BuildStats());
+			orig_endp->BuildStats(),
-
+			resp_endp->BuildStats(),
-	Conn()->ConnectionEvent(interconn_stats, this, vl);
+		});
 	}
 void InterConn_Analyzer::RemoveEvent()
 	{
-	val_list* vl = new val_list;
+	if ( interconn_remove_conn )
-	vl->append(Conn()->BuildConnVal());
+		Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()});
 	Conn()->ConnectionEvent(interconn_remove_conn, this, vl);
 	}
 InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@ -233,14 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_network_info, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(val_mgr->GetInt(users));
+				val_mgr->GetInt(users),
-			vl->append(val_mgr->GetInt(services));
+				val_mgr->GetInt(services),
-			vl->append(val_mgr->GetInt(servers));
+				val_mgr->GetInt(servers),
-
+			});
 			ConnectionEvent(irc_network_info, vl);
 			}
 			break;
@ -271,13 +270,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
 			vl->append(val_mgr->GetBool(orig));
 			vl->append(new StringVal(type.c_str()));
 			vl->append(new StringVal(channel.c_str()));
 			TableVal* set = new TableVal(string_set);
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
 				if ( parts[i][0] == '@' )
@ -286,9 +280,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				set->Assign(idx, 0);
 				Unref(idx);
 				}
 			vl->append(set);
-			ConnectionEvent(irc_names_info, vl);
+			ConnectionEventFast(irc_names_info, {
 				BuildConnVal(),
 				val_mgr->GetBool(orig),
 				new StringVal(type.c_str()),
 				new StringVal(channel.c_str()),
 				set,
 			});
 			}
 			break;
@ -316,14 +315,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_server_info, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(val_mgr->GetInt(users));
+				val_mgr->GetInt(users),
-			vl->append(val_mgr->GetInt(services));
+				val_mgr->GetInt(services),
-			vl->append(val_mgr->GetInt(servers));
+				val_mgr->GetInt(servers),
-
+			});
 			ConnectionEvent(irc_server_info, vl);
 			}
 			break;
@ -339,12 +337,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( parts[i] == ":channels" )
 					channels = atoi(parts[i - 1].c_str());
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_channel_info, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(val_mgr->GetInt(channels));
+				val_mgr->GetInt(channels),
-
+			});
 			ConnectionEvent(irc_channel_info, vl);
 			}
 			break;
@ -372,12 +369,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				break;
 				}
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_global_users, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(eop - prefix, prefix));
+				new StringVal(eop - prefix, prefix),
-			vl->append(new StringVal(++msg));
+				new StringVal(++msg),
-			ConnectionEvent(irc_global_users, vl);
+			});
 			break;
 			}
@ -397,12 +394,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
-			val_list* vl = new val_list;
+			val_list vl(6);
-			vl->append(BuildConnVal());
+			vl.append(BuildConnVal());
-			vl->append(val_mgr->GetBool(orig));
+			vl.append(val_mgr->GetBool(orig));
-			vl->append(new StringVal(parts[0].c_str()));
+			vl.append(new StringVal(parts[0].c_str()));
-			vl->append(new StringVal(parts[1].c_str()));
+			vl.append(new StringVal(parts[1].c_str()));
-			vl->append(new StringVal(parts[2].c_str()));
+			vl.append(new StringVal(parts[2].c_str()));
 			parts.erase(parts.begin(), parts.begin() + 4);
@ -413,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( real_name[0] == ':' )
 				real_name = real_name.substr(1);
-			vl->append(new StringVal(real_name.c_str()));
+			vl.append(new StringVal(real_name.c_str()));
-			ConnectionEvent(irc_whois_user_line, vl);
+			ConnectionEventFast(irc_whois_user_line, std::move(vl));
 			}
 			break;
@ -436,12 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_whois_operator_line, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(parts[0].c_str()));
+				new StringVal(parts[0].c_str()),
-
+			});
 			ConnectionEvent(irc_whois_operator_line, vl);
 			}
 			break;
@ -467,11 +463,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
 			vl->append(val_mgr->GetBool(orig));
 			vl->append(new StringVal(nick.c_str()));
 			TableVal* set = new TableVal(string_set);
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
 				Val* idx = new StringVal(parts[i].c_str());
@ -479,9 +472,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				Unref(idx);
 				}
-			vl->append(set);
+			ConnectionEventFast(irc_whois_channel_line, {
-
+				BuildConnVal(),
-			ConnectionEvent(irc_whois_channel_line, vl);
+				val_mgr->GetBool(orig),
 				new StringVal(nick.c_str()),
 				set,
 			});
 			}
 			break;
@ -502,19 +498,17 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( pos < params.size() )
 				{
 				string topic = params.substr(pos + 1);
 				val_list* vl = new val_list;
 				vl->append(BuildConnVal());
 				vl->append(val_mgr->GetBool(orig));
 				vl->append(new StringVal(parts[1].c_str()));
 				const char* t = topic.c_str();
 				if ( *t == ':' )
 					++t;
-				vl->append(new StringVal(t));
+				ConnectionEventFast(irc_channel_topic, {
-
+					BuildConnVal(),
-				ConnectionEvent(irc_channel_topic, vl);
+					val_mgr->GetBool(orig),
 					new StringVal(parts[1].c_str()),
 					new StringVal(t),
 				});
 				}
 			else
 				{
@ -537,24 +531,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
 			vl->append(val_mgr->GetBool(orig));
 			vl->append(new StringVal(parts[0].c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 			if ( parts[2][0] == '~' )
 				parts[2] = parts[2].substr(1);
-			vl->append(new StringVal(parts[2].c_str()));
+
 			vl->append(new StringVal(parts[3].c_str()));
 			vl->append(new StringVal(parts[4].c_str()));
 			vl->append(new StringVal(parts[5].c_str()));
 			vl->append(new StringVal(parts[6].c_str()));
 			if ( parts[7][0] == ':' )
 				parts[7] = parts[7].substr(1);
 			vl->append(val_mgr->GetInt(atoi(parts[7].c_str())));
 			vl->append(new StringVal(parts[8].c_str()));
-			ConnectionEvent(irc_who_line, vl);
+			ConnectionEventFast(irc_who_line, {
 				BuildConnVal(),
 				val_mgr->GetBool(orig),
 				new StringVal(parts[0].c_str()),
 				new StringVal(parts[1].c_str()),
 				new StringVal(parts[2].c_str()),
 				new StringVal(parts[3].c_str()),
 				new StringVal(parts[4].c_str()),
 				new StringVal(parts[5].c_str()),
 				new StringVal(parts[6].c_str()),
 				val_mgr->GetInt(atoi(parts[7].c_str())),
 				new StringVal(parts[8].c_str()),
 			});
 			}
 			break;
@ -565,10 +560,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 436:
 			if ( irc_invalid_nick )
 				{
-				val_list* vl = new val_list;
+				ConnectionEventFast(irc_invalid_nick, {
-				vl->append(BuildConnVal());
+					BuildConnVal(),
-				vl->append(val_mgr->GetBool(orig));
+					val_mgr->GetBool(orig),
-				ConnectionEvent(irc_invalid_nick, vl);
+				});
 				}
 			break;
@ -577,11 +572,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 491:  // user is not operator
 			if ( irc_oper_response )
 				{
-				val_list* vl = new val_list;
+				ConnectionEventFast(irc_oper_response, {
-				vl->append(BuildConnVal());
+					BuildConnVal(),
-				vl->append(val_mgr->GetBool(orig));
+					val_mgr->GetBool(orig),
-				vl->append(val_mgr->GetBool(code == 381));
+					val_mgr->GetBool(code == 381),
-				ConnectionEvent(irc_oper_response, vl);
+				});
 				}
 			break;
@ -592,14 +587,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// All other server replies.
 		default:
-			val_list* vl = new val_list;
+			if ( irc_reply )
-			vl->append(BuildConnVal());
+				ConnectionEventFast(irc_reply, {
-			vl->append(val_mgr->GetBool(orig));
+					BuildConnVal(),
-			vl->append(new StringVal(prefix.c_str()));
+					val_mgr->GetBool(orig),
-			vl->append(val_mgr->GetCount(code));
+					new StringVal(prefix.c_str()),
-			vl->append(new StringVal(params.c_str()));
+					val_mgr->GetCount(code),
-
+					new StringVal(params.c_str()),
-			ConnectionEvent(irc_reply, vl);
+				});
 			break;
 		}
 		return;
@ -662,33 +657,33 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				raw_ip = (10 * raw_ip) + atoi(s.c_str());
 				}
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
 			vl->append(val_mgr->GetBool(orig));
 			vl->append(new StringVal(prefix.c_str()));
 			vl->append(new StringVal(target.c_str()));
 			vl->append(new StringVal(parts[1].c_str()));
 			vl->append(new StringVal(parts[2].c_str()));
 			vl->append(new AddrVal(htonl(raw_ip)));
 			vl->append(val_mgr->GetCount(atoi(parts[4].c_str())));
 			if ( parts.size() >= 6 )
 				vl->append(val_mgr->GetCount(atoi(parts[5].c_str())));
 			else
 				vl->append(val_mgr->GetCount(0));
-			ConnectionEvent(irc_dcc_message, vl);
+			if ( irc_dcc_message )
 				ConnectionEventFast(irc_dcc_message, {
 					BuildConnVal(),
 					val_mgr->GetBool(orig),
 					new StringVal(prefix.c_str()),
 					new StringVal(target.c_str()),
 					new StringVal(parts[1].c_str()),
 					new StringVal(parts[2].c_str()),
 					new AddrVal(htonl(raw_ip)),
 					val_mgr->GetCount(atoi(parts[4].c_str())),
 					parts.size() >= 6 ?
 						val_mgr->GetCount(atoi(parts[5].c_str())) :
 						val_mgr->GetCount(0),
 				});
 			}
 		else
 			{
-			val_list* vl = new val_list;
+			if ( irc_privmsg_message )
-			vl->append(BuildConnVal());
+				ConnectionEventFast(irc_privmsg_message, {
-			vl->append(val_mgr->GetBool(orig));
+					BuildConnVal(),
-			vl->append(new StringVal(prefix.c_str()));
+					val_mgr->GetBool(orig),
-			vl->append(new StringVal(target.c_str()));
+					new StringVal(prefix.c_str()),
-			vl->append(new StringVal(message.c_str()));
+					new StringVal(target.c_str()),
-
+					new StringVal(message.c_str()),
-			ConnectionEvent(irc_privmsg_message, vl);
+				});
 			}
 		}
@ -707,14 +702,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_notice_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(prefix.c_str()));
+			new StringVal(prefix.c_str()),
-		vl->append(new StringVal(target.c_str()));
+			new StringVal(target.c_str()),
-		vl->append(new StringVal(message.c_str()));
+			new StringVal(message.c_str()),
-
+		});
 		ConnectionEvent(irc_notice_message, vl);
 		}
 	else if ( irc_squery_message && command == "SQUERY" )
@ -732,35 +726,34 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_squery_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(prefix.c_str()));
+			new StringVal(prefix.c_str()),
-		vl->append(new StringVal(target.c_str()));
+			new StringVal(target.c_str()),
-		vl->append(new StringVal(message.c_str()));
+			new StringVal(message.c_str()),
-
+		});
 		ConnectionEvent(irc_squery_message, vl);
 		}
 	else if ( irc_user_message && command == "USER" )
 		{
 		// extract username and real name
 		vector<string> parts = SplitWords(params, ' ');
-		val_list* vl = new val_list;
+		val_list vl(6);
-		vl->append(BuildConnVal());
+		vl.append(BuildConnVal());
-		vl->append(val_mgr->GetBool(orig));
+		vl.append(val_mgr->GetBool(orig));
 		if ( parts.size() > 0 )
-			vl->append(new StringVal(parts[0].c_str()));
+			vl.append(new StringVal(parts[0].c_str()));
-		else vl->append(val_mgr->GetEmptyString());
+		else vl.append(val_mgr->GetEmptyString());
 		if ( parts.size() > 1 )
-			vl->append(new StringVal(parts[1].c_str()));
+			vl.append(new StringVal(parts[1].c_str()));
-		else vl->append(val_mgr->GetEmptyString());
+		else vl.append(val_mgr->GetEmptyString());
 		if ( parts.size() > 2 )
-			vl->append(new StringVal(parts[2].c_str()));
+			vl.append(new StringVal(parts[2].c_str()));
-		else vl->append(val_mgr->GetEmptyString());
+		else vl.append(val_mgr->GetEmptyString());
 		string realname;
 		for ( unsigned int i = 3; i < parts.size(); i++ )
@ -771,9 +764,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 		const char* name = realname.c_str();
-		vl->append(new StringVal(*name == ':' ? name + 1 : name));
+		vl.append(new StringVal(*name == ':' ? name + 1 : name));
-		ConnectionEvent(irc_user_message, vl);
+		ConnectionEventFast(irc_user_message, std::move(vl));
 		}
 	else if ( irc_oper_message && command == "OPER" )
@ -782,13 +775,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		vector<string> parts = SplitWords(params, ' ');
 		if ( parts.size() == 2 )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_oper_message, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(parts[0].c_str()));
+				new StringVal(parts[0].c_str()),
-			vl->append(new StringVal(parts[1].c_str()));
+				new StringVal(parts[1].c_str()),
-
+			});
 			ConnectionEvent(irc_oper_message, vl);
 			}
 		else
@ -805,12 +797,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			return;
 			}
-		val_list* vl = new val_list;
+		val_list vl(6);
-		vl->append(BuildConnVal());
+		vl.append(BuildConnVal());
-		vl->append(val_mgr->GetBool(orig));
+		vl.append(val_mgr->GetBool(orig));
-		vl->append(new StringVal(prefix.c_str()));
+		vl.append(new StringVal(prefix.c_str()));
-		vl->append(new StringVal(parts[0].c_str()));
+		vl.append(new StringVal(parts[0].c_str()));
-		vl->append(new StringVal(parts[1].c_str()));
+		vl.append(new StringVal(parts[1].c_str()));
 		if ( parts.size() > 2 )
 			{
 			string comment = parts[2];
@ -820,12 +812,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( comment[0] == ':' )
 				comment = comment.substr(1);
-			vl->append(new StringVal(comment.c_str()));
+			vl.append(new StringVal(comment.c_str()));
 			}
 		else
-			vl->append(val_mgr->GetEmptyString());
+			vl.append(val_mgr->GetEmptyString());
-		ConnectionEvent(irc_kick_message, vl);
+		ConnectionEventFast(irc_kick_message, std::move(vl));
 		}
 	else if ( irc_join_message && command == "JOIN" )
@ -849,11 +841,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(val_mgr->GetBool(orig));
 		TableVal* list = new TableVal(irc_join_list);
 		vector<string> channels = SplitWords(parts[0], ',');
 		vector<string> passwords;
@ -876,9 +865,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(info);
 			}
-		vl->append(list);
+		ConnectionEventFast(irc_join_message, {
-
+			BuildConnVal(),
-		ConnectionEvent(irc_join_message, vl);
+			val_mgr->GetBool(orig),
 			list,
 		});
 		}
 	else if ( irc_join_message && command == "NJOIN" )
@ -895,12 +886,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[1] = parts[1].substr(1);
 		vector<string> users = SplitWords(parts[1], ',');
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(val_mgr->GetBool(orig));
 		TableVal* list = new TableVal(irc_join_list);
 		string empty_string = "";
 		for ( unsigned int i = 0; i < users.size(); ++i )
@ -939,9 +926,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(info);
 			}
-		vl->append(list);
+		ConnectionEventFast(irc_join_message, {
-
+			BuildConnVal(),
-		ConnectionEvent(irc_join_message, vl);
+			val_mgr->GetBool(orig),
 			list,
 		});
 		}
 	else if ( irc_part_message && command == "PART" )
@ -977,14 +966,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(idx);
 			}
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_part_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(nick.c_str()));
+			new StringVal(nick.c_str()),
-		vl->append(set);
+			set,
-		vl->append(new StringVal(message.c_str()));
+			new StringVal(message.c_str()),
-
+		});
 		ConnectionEvent(irc_part_message, vl);
 		}
 	else if ( irc_quit_message && command == "QUIT" )
@ -1001,13 +989,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_quit_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(nickname.c_str()));
+			new StringVal(nickname.c_str()),
-		vl->append(new StringVal(message.c_str()));
+			new StringVal(message.c_str()),
-
+		});
 		ConnectionEvent(irc_quit_message, vl);
 		}
 	else if ( irc_nick_message && command == "NICK" )
@ -1016,13 +1003,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( nick[0] == ':' )
 			nick = nick.substr(1);
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_nick_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(prefix.c_str()));
+			new StringVal(prefix.c_str()),
-		vl->append(new StringVal(nick.c_str()));
+			new StringVal(nick.c_str())
-
+		});
 		ConnectionEvent(irc_nick_message, vl);
 		}
 	else if ( irc_who_message && command == "WHO" )
@ -1042,16 +1028,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_who_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		if ( parts.size() > 0 )
+			parts.size() > 0 ?
-			vl->append(new StringVal(parts[0].c_str()));
+				new StringVal(parts[0].c_str()) :
-		else
+				val_mgr->GetEmptyString(),
-			vl->append(val_mgr->GetEmptyString());
+			val_mgr->GetBool(oper),
-		vl->append(val_mgr->GetBool(oper));
+		});
 		ConnectionEvent(irc_who_message, vl);
 		}
 	else if ( irc_whois_message && command == "WHOIS" )
@ -1074,26 +1058,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			users = parts[0];
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_whois_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(server.c_str()));
+			new StringVal(server.c_str()),
-		vl->append(new StringVal(users.c_str()));
+			new StringVal(users.c_str()),
-
+		});
 		ConnectionEvent(irc_whois_message, vl);
 		}
 	else if ( irc_error_message && command == "ERROR" )
 		{
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(val_mgr->GetBool(orig));
 		vl->append(new StringVal(prefix.c_str()));
 		if ( params[0] == ':' )
 			params = params.substr(1);
 		vl->append(new StringVal(params.c_str()));
-		ConnectionEvent(irc_error_message, vl);
+		ConnectionEventFast(irc_error_message, {
 			BuildConnVal(),
 			val_mgr->GetBool(orig),
 			new StringVal(prefix.c_str()),
 			new StringVal(params.c_str()),
 		});
 		}
 	else if ( irc_invite_message && command == "INVITE" )
@ -1104,14 +1087,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[1].size() > 0 && parts[1][0] == ':' )
 				parts[1] = parts[1].substr(1);
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_invite_message, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(prefix.c_str()));
+				new StringVal(prefix.c_str()),
-			vl->append(new StringVal(parts[0].c_str()));
+				new StringVal(parts[0].c_str()),
-			vl->append(new StringVal(parts[1].c_str()));
+				new StringVal(parts[1].c_str()),
-
+			});
 			ConnectionEvent(irc_invite_message, vl);
 			}
 		else
 			Weird("irc_invalid_invite_message_format");
@ -1121,13 +1103,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( params.size() > 0 )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_mode_message, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(prefix.c_str()));
+				new StringVal(prefix.c_str()),
-			vl->append(new StringVal(params.c_str()));
+				new StringVal(params.c_str()),
-
+			});
 			ConnectionEvent(irc_mode_message, vl);
 			}
 		else
@ -1136,11 +1117,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_password_message && command == "PASS" )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_password_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(params.c_str()));
+			new StringVal(params.c_str()),
-		ConnectionEvent(irc_password_message, vl);
+		});
 		}
 	else if ( irc_squit_message && command == "SQUIT" )
@ -1158,14 +1139,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				message = message.substr(1);
 			}
-		val_list* vl = new val_list;
+		ConnectionEventFast(irc_squit_message, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(orig));
+			val_mgr->GetBool(orig),
-		vl->append(new StringVal(prefix.c_str()));
+			new StringVal(prefix.c_str()),
-		vl->append(new StringVal(server.c_str()));
+			new StringVal(server.c_str()),
-		vl->append(new StringVal(message.c_str()));
+			new StringVal(message.c_str()),
-
+		});
 		ConnectionEvent(irc_squit_message, vl);
 		}
@ -1173,14 +1153,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_request )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_request, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(prefix.c_str()));
+				new StringVal(prefix.c_str()),
-			vl->append(new StringVal(command.c_str()));
+				new StringVal(command.c_str()),
-			vl->append(new StringVal(params.c_str()));
+				new StringVal(params.c_str()),
-
+			});
 			ConnectionEvent(irc_request, vl);
 			}
 		}
@ -1188,14 +1167,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_message )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(irc_message, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(orig));
+				val_mgr->GetBool(orig),
-			vl->append(new StringVal(prefix.c_str()));
+				new StringVal(prefix.c_str()),
-			vl->append(new StringVal(command.c_str()));
+				new StringVal(command.c_str()),
-			vl->append(new StringVal(params.c_str()));
+				new StringVal(params.c_str()),
-
+			});
 			ConnectionEvent(irc_message, vl);
 			}
 		}
@ -1224,10 +1202,8 @@ void IRC_Analyzer::StartTLS()
 	if ( ssl )
 		AddChildAnalyzer(ssl);
-	val_list* vl = new val_list;
+	if ( irc_starttls )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(irc_starttls, {BuildConnVal()});
 	ConnectionEvent(irc_starttls, vl);
 	}
 vector<string> IRC_Analyzer::SplitWords(const string input, const char split)
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@ -289,9 +289,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
 		{
 		if ( authentication_skipped )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(authentication_skipped, {BuildConnVal()});
 			vl->append(BuildConnVal());
 			ConnectionEvent(authentication_skipped, vl);
 			}
 		state = LOGIN_STATE_SKIP;
@ -334,32 +332,26 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 		else if ( login_terminal && streq(name, "TERM") )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(login_terminal, {
-
+				BuildConnVal(),
-			vl->append(BuildConnVal());
+				new StringVal(val),
-			vl->append(new StringVal(val));
+			});
 			ConnectionEvent(login_terminal, vl);
 			}
 		else if ( login_display && streq(name, "DISPLAY") )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(login_display, {
-
+				BuildConnVal(),
-			vl->append(BuildConnVal());
+				new StringVal(val),
-			vl->append(new StringVal(val));
+			});
 			ConnectionEvent(login_display, vl);
 			}
 		else if ( login_prompt && streq(name, "TTYPROMPT") )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(login_prompt, {
-
+				BuildConnVal(),
-			vl->append(BuildConnVal());
+				new StringVal(val),
-			vl->append(new StringVal(val));
+			});
 			ConnectionEvent(login_prompt, vl);
 			}
 		}
@ -433,15 +425,13 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
 	Val* password = HaveTypeahead() ?
 				PopUserTextVal() : new StringVal("<none>");
-	val_list* vl = new val_list;
+	ConnectionEventFast(f, {
-
+		BuildConnVal(),
-	vl->append(BuildConnVal());
+		username->Ref(),
-	vl->append(username->Ref());
+		client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
-	vl->append(client_name ? client_name->Ref() : val_mgr->GetEmptyString());
+		password,
-	vl->append(password);
+		new StringVal(line),
-	vl->append(new StringVal(line));
+	});
 	ConnectionEvent(f, vl);
 	}
 const char* Login_Analyzer::GetUsername(const char* line) const
@ -454,12 +444,13 @@ const char* Login_Analyzer::GetUsername(const char* line) const
 void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
 	{
-	val_list* vl = new val_list;
+	if ( ! f )
 		return;
-	vl->append(BuildConnVal());
+	ConnectionEventFast(f, {
-	vl->append(new StringVal(line));
+		BuildConnVal(),
-
+		new StringVal(line),
-	ConnectionEvent(f, vl);
+	});
 	}
@ -469,12 +460,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 	if ( login_confused )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(login_confused, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new StringVal(msg));
+			new StringVal(msg),
-		vl->append(new StringVal(line));
+			new StringVal(line),
-
+		});
 		ConnectionEvent(login_confused, vl);
 		}
 	if ( login_confused_text )
@ -496,10 +486,10 @@ void Login_Analyzer::ConfusionText(const char* line)
 	{
 	if ( login_confused_text )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(login_confused_text, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new StringVal(line));
+			new StringVal(line),
-		ConnectionEvent(login_confused_text, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@ -461,11 +461,10 @@ void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
 	{
 	if ( login_terminal )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(login_terminal, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(new StringVal(new BroString(terminal, len, 0)));
+			new StringVal(new BroString(terminal, len, 0)),
-
+		});
 		ConnectionEvent(login_terminal, vl);
 		}
 	}
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@ -156,31 +156,38 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	Login_Analyzer::DeliverStream(len, data, orig);
 	if ( orig )
 		{
 		if ( ! rsh_request )
 			return;
 		}
 	else
 		{
 		if ( ! rsh_reply )
 			return;
 		}
 	val_list vl(4 + orig);
 	const char* line = (const char*) data;
 	val_list* vl = new val_list;
 	line = skip_whitespace(line);
-	vl->append(BuildConnVal());
+	vl.append(BuildConnVal());
-	vl->append(client_name ? client_name->Ref() : new StringVal("<none>"));
+	vl.append(client_name ? client_name->Ref() : new StringVal("<none>"));
-	vl->append(username ? username->Ref() : new StringVal("<none>"));
+	vl.append(username ? username->Ref() : new StringVal("<none>"));
-	vl->append(new StringVal(line));
+	vl.append(new StringVal(line));
-	if ( orig && rsh_request )
+	if ( orig )
 		{
 		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
 			// First input
-			vl->append(val_mgr->GetTrue());
+			vl.append(val_mgr->GetTrue());
 		else
-			vl->append(val_mgr->GetFalse());
+			vl.append(val_mgr->GetFalse());
-		ConnectionEvent(rsh_request, vl);
+		ConnectionEventFast(rsh_request, std::move(vl));
 		}
 	else if ( rsh_reply )
 		ConnectionEvent(rsh_reply, vl);
 	else
-		delete_vals(vl);
+		ConnectionEventFast(rsh_reply, std::move(vl));
 	}
 void Rsh_Analyzer::ClientUserName(const char* s)
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@ -244,11 +244,9 @@ void Rlogin_Analyzer::TerminalType(const char* s)
 	{
 	if ( login_terminal )
 		{
-		val_list* vl = new val_list;
+		ConnectionEventFast(login_terminal, {
-
+			BuildConnVal(),
-		vl->append(BuildConnVal());
+			new StringVal(s),
-		vl->append(new StringVal(s));
+		});
 		ConnectionEvent(login_terminal, vl);
 		}
 	}
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@ -1358,11 +1358,11 @@ void MIME_Mail::Done()
 		hash_final(md5_hash, digest);
 		md5_hash = nullptr;
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(mime_content_hash, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(content_hash_length));
+			val_mgr->GetCount(content_hash_length),
-		vl->append(new StringVal(new BroString(1, digest, 16)));
+			new StringVal(new BroString(1, digest, 16)),
-		analyzer->ConnectionEvent(mime_content_hash, vl);
+		});
 		}
 	MIME_Message::Done();
@ -1386,11 +1386,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
 	cur_entity_id.clear();
 	if ( mime_begin_entity )
-		{
+		analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		analyzer->ConnectionEvent(mime_begin_entity, vl);
 		}
 	buffer_start = data_start = 0;
 	ASSERT(entity_content.size() == 0);
@ -1402,12 +1398,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		{
 		BroString* s = concatenate(entity_content);
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_entity_data, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(s->Len()));
+			val_mgr->GetCount(s->Len()),
-		vl->append(new StringVal(s));
+			new StringVal(s),
-
+		});
 		analyzer->ConnectionEvent(mime_entity_data, vl);
 		if ( ! mime_all_data )
 			delete_strings(entity_content);
@ -1416,11 +1411,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		}
 	if ( mime_end_entity )
-		{
+		analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		analyzer->ConnectionEvent(mime_end_entity, vl);
 		}
 	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
@ -1430,10 +1421,10 @@ void MIME_Mail::SubmitHeader(MIME_Header* h)
 	{
 	if ( mime_one_header )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_one_header, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(BuildHeaderVal(h));
+			BuildHeaderVal(h),
-		analyzer->ConnectionEvent(mime_one_header, vl);
+		});
 		}
 	}
@ -1441,10 +1432,10 @@ void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 	{
 	if ( mime_all_headers )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_all_headers, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(BuildHeaderTable(hlist));
+			BuildHeaderTable(hlist),
-		analyzer->ConnectionEvent(mime_all_headers, vl);
+		});
 		}
 	}
@ -1478,11 +1469,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		const char* data = (char*) data_buffer->Bytes() + data_start;
 		int data_len = (buf + len) - data;
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_segment_data, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(data_len));
+			val_mgr->GetCount(data_len),
-		vl->append(new StringVal(data_len, data));
+			new StringVal(data_len, data),
-		analyzer->ConnectionEvent(mime_segment_data, vl);
+		});
 		}
 	cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1525,12 +1516,11 @@ void MIME_Mail::SubmitAllData()
 		BroString* s = concatenate(all_content);
 		delete_strings(all_content);
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_all_data, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(s->Len()));
+			val_mgr->GetCount(s->Len()),
-		vl->append(new StringVal(s));
+			new StringVal(s),
-
+		});
 		analyzer->ConnectionEvent(mime_all_data, vl);
 		}
 	}
@ -1555,10 +1545,10 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 	if ( mime_event )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(mime_event, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(new StringVal(category));
+			new StringVal(category),
-		vl->append(new StringVal(detail));
+			new StringVal(detail),
-		analyzer->ConnectionEvent(mime_event, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@ -61,21 +61,27 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 	EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
 	if ( f )
 		{
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(val_mgr->GetCount(frame->frame_type()));
 		vl->append(val_mgr->GetCount(frame->body_length()));
 		if ( frame->is_orig() )
-			vl->append(val_mgr->GetCount(req_func));
+			{
 			analyzer->ConnectionEventFast(f, {
 				analyzer->BuildConnVal(),
 				val_mgr->GetCount(frame->frame_type()),
 				val_mgr->GetCount(frame->body_length()),
 				val_mgr->GetCount(req_func),
 			});
 			}
 		else
 			{
-			vl->append(val_mgr->GetCount(req_frame_type));
+			analyzer->ConnectionEventFast(f, {
-			vl->append(val_mgr->GetCount(req_func));
+				analyzer->BuildConnVal(),
-			vl->append(val_mgr->GetCount(frame->reply()->completion_code()));
+				val_mgr->GetCount(frame->frame_type()),
 				val_mgr->GetCount(frame->body_length()),
 				val_mgr->GetCount(req_frame_type),
 				val_mgr->GetCount(req_func),
 				val_mgr->GetCount(frame->reply()->completion_code()),
 			});
 			}
 		analyzer->ConnectionEvent(f, vl);
 		}
 	}
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@ -58,12 +58,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
 	{
 	if ( netbios_session_message )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(netbios_session_message, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_query));
+			val_mgr->GetBool(is_query),
-		vl->append(val_mgr->GetCount(type));
+			val_mgr->GetCount(type),
-		vl->append(val_mgr->GetCount(len));
+			val_mgr->GetCount(len),
-		analyzer->ConnectionEvent(netbios_session_message, vl);
+		});
 		}
 	switch ( type ) {
@ -328,13 +328,19 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
 	if ( ! event )
 		return;
 	val_list* vl = new val_list;
 	vl->append(analyzer->BuildConnVal());
 	if ( is_orig >= 0 )
-		vl->append(val_mgr->GetBool(is_orig));
+		{
-	vl->append(new StringVal(new BroString(data, len, 0)));
+		analyzer->ConnectionEventFast(event, {
-
+			analyzer->BuildConnVal(),
-	analyzer->ConnectionEvent(event, vl);
+			val_mgr->GetBool(is_orig),
 			new StringVal(new BroString(data, len, 0)),
 		});
 		}
 	else
 		analyzer->ConnectionEventFast(event, {
 			analyzer->BuildConnVal(),
 			new StringVal(new BroString(data, len, 0)),
 		});
 	}
--- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
@ -94,6 +94,9 @@ refine connection NTLM_Conn += {
 	function proc_ntlm_negotiate(val: NTLM_Negotiate): bool
 		%{
 		if ( ! ntlm_negotiate )
 			return true;
 		RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
 		result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -115,6 +118,9 @@ refine connection NTLM_Conn += {
 	function proc_ntlm_challenge(val: NTLM_Challenge): bool
 		%{
 		if ( ! ntlm_challenge )
 			return true;
 		RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
 		result->Assign(0, build_negotiate_flag_record(${val.flags}));
@ -136,6 +142,9 @@ refine connection NTLM_Conn += {
 	function proc_ntlm_authenticate(val: NTLM_Authenticate): bool
 		%{
 		if ( ! ntlm_authenticate )
 			return true;
 		RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
 		result->Assign(0, build_negotiate_flag_record(${val.flags}));
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@ -62,6 +62,9 @@ void NTP_Analyzer::Message(const u_char* data, int len)
 	len -= sizeof *ntp_data;
 	data += sizeof *ntp_data;
 	if ( ! ntp_message )
 		return;
 	RecordVal* msg = new RecordVal(ntp_msg);
 	unsigned int code = ntp_data->status & 0x7;
@ -78,12 +81,11 @@ void NTP_Analyzer::Message(const u_char* data, int len)
 	msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
 	msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
-	val_list* vl = new val_list;
+	ConnectionEventFast(ntp_message, {
-	vl->append(BuildConnVal());
+		BuildConnVal(),
-	vl->append(msg);
+		msg,
-	vl->append(new StringVal(new BroString(data, len, 0)));
+		new StringVal(new BroString(data, len, 0)),
-
+	});
 	ConnectionEvent(ntp_message, vl);
 	}
 double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@ -833,10 +833,8 @@ void POP3_Analyzer::StartTLS()
 	if ( ssl )
 		AddChildAnalyzer(ssl);
-	val_list* vl = new val_list;
+	if ( pop3_starttls )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(pop3_starttls, {BuildConnVal()});
 	ConnectionEvent(pop3_starttls, vl);
 	}
 void POP3_Analyzer::AuthSuccessfull()
@ -926,14 +924,14 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
 	if ( ! event )
 		return;
-	val_list* vl = new val_list;
+	val_list vl(2 + (bool)arg1 + (bool)arg2);
-	vl->append(BuildConnVal());
+	vl.append(BuildConnVal());
-	vl->append(val_mgr->GetBool(is_orig));
+	vl.append(val_mgr->GetBool(is_orig));
 	if ( arg1 )
-		vl->append(new StringVal(arg1));
+		vl.append(new StringVal(arg1));
 	if ( arg2 )
-		vl->append(new StringVal(arg2));
+		vl.append(new StringVal(arg2));
-	ConnectionEvent(event, vl);
+	ConnectionEventFast(event, std::move(vl));
 	}
--- a/src/analyzer/protocol/rfb/rfb-analyzer.pac
+++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac
@ -1,6 +1,7 @@
 refine flow RFB_Flow += {
 	function proc_rfb_message(msg: RFB_PDU): bool
 		%{
 		if ( rfb_event )
 			BifEvent::generate_rfb_event(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn());
 		return true;
 		%}
@ -9,12 +10,14 @@ refine flow RFB_Flow += {
 		%{
 		if (client)
 			{
 			if ( rfb_client_version )
 				BifEvent::generate_rfb_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
 			connection()->bro_analyzer()->ProtocolConfirmation();
 			}
 			else
 			{
 			if ( rfb_server_version )
 				BifEvent::generate_rfb_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(major), bytestring_to_val(minor));
 			}
 		return true;
@ -22,30 +25,35 @@ refine flow RFB_Flow += {
 	function proc_rfb_share_flag(shared: bool) : bool
 		%{
 		if ( rfb_share_flag )
 			BifEvent::generate_rfb_share_flag(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), shared);
 		return true;
 		%}
 	function proc_security_types(msg: RFBSecurityTypes) : bool
 		%{
 		if ( rfb_authentication_type )
 			BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.sectype});
 		return true;
 		%}
 	function proc_security_types37(msg: RFBAuthTypeSelected) : bool
 		%{
 		if ( rfb_authentication_type )
 			BifEvent::generate_rfb_authentication_type(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.type});
 		return true;
 		%}
 	function proc_handle_server_params(msg:RFBServerInit) : bool
 		%{
 		if ( rfb_server_parameters )
 			BifEvent::generate_rfb_server_parameters(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.name}), ${msg.width}, ${msg.height});
 		return true;
 		%}
 	function proc_handle_security_result(result : uint32) : bool
 		%{
 		if ( rfb_auth_result )
 			BifEvent::generate_rfb_auth_result(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), result);
 		return true;
 		%}
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@ -93,9 +93,9 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 	if ( mount_reply_status )
 		{
-		val_list* vl = event_common_vl(c, rpc_status, mount_status,
+		auto vl = event_common_vl(c, rpc_status, mount_status,
-					   start_time, last_time, reply_len);
+					   start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEvent(mount_reply_status, vl);
+		analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
 		}
 	if ( ! rpc_success )
@ -162,34 +162,34 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 	// optional and all are set to 0 ...
 	if ( event )
 		{
 		val_list* vl = event_common_vl(c, rpc_status, mount_status,
 					start_time, last_time, reply_len);
 		Val *request = c->TakeRequestVal();
 		auto vl = event_common_vl(c, rpc_status, mount_status,
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 		if ( request )
-			vl->append(request);
+			vl.append(request);
 		if ( reply )
-			vl->append(reply);
+			vl.append(reply);
-		analyzer->ConnectionEvent(event, vl);
+		analyzer->ConnectionEventFast(event, std::move(vl));
 		}
 	else
 		Unref(reply);
 	return 1;
 	}
-val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
 		      BifEnum::rpc_status rpc_status,
 				      BifEnum::MOUNT3::status_t mount_status,
 				      double rep_start_time,
-				      double rep_last_time, int reply_len)
+				      double rep_last_time, int reply_len, int extra_elements)
 	{
 	// Returns a new val_list that already has a conn_val, and mount3_info.
 	// These are the first parameters for each mount_* event ...
-	val_list *vl = new val_list;
+	val_list vl(2 + extra_elements);
-	vl->append(analyzer->BuildConnVal());
+	vl.append(analyzer->BuildConnVal());
 	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
 	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
@ -212,7 +212,7 @@ val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	info->Assign(11, new StringVal(c->MachineName()));
 	info->Assign(12, auxgids);
-	vl->append(info);
+	vl.append(info);
 	return vl;
 	}
--- a/src/analyzer/protocol/rpc/MOUNT.h
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@ -22,10 +22,10 @@ protected:
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// mount_status. These are the first parameters for each mount_* event
 	// ...
-	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::MOUNT3::status_t mount_status,
 				double rep_start_time, double rep_last_time,
-				int reply_len);
+				int reply_len, int extra_elements);
 	// These methods parse the appropriate MOUNTv3 "type" out of buf. If
 	// there are any errors (i.e., buffer to short, etc), buf will be set
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@ -147,9 +147,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 	if ( nfs_reply_status )
 		{
-		val_list* vl = event_common_vl(c, rpc_status, nfs_status,
+		auto vl = event_common_vl(c, rpc_status, nfs_status,
-					       start_time, last_time, reply_len);
+					       start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEvent(nfs_reply_status, vl);
+		analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
 		}
 	if ( ! rpc_success )
@ -274,18 +274,18 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 	// optional and all are set to 0 ...
 	if ( event )
 		{
 		val_list* vl = event_common_vl(c, rpc_status, nfs_status,
 					start_time, last_time, reply_len);
 		Val *request = c->TakeRequestVal();
 		auto vl = event_common_vl(c, rpc_status, nfs_status,
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 		if ( request )
-			vl->append(request);
+			vl.append(request);
 		if ( reply )
-			vl->append(reply);
+			vl.append(reply);
-		analyzer->ConnectionEvent(event, vl);
+		analyzer->ConnectionEventFast(event, std::move(vl));
 		}
 	else
 		Unref(reply);
@ -317,15 +317,15 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
 	return 0;
 	}
-val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				      BifEnum::NFS3::status_t nfs_status,
 				      double rep_start_time,
-				      double rep_last_time, int reply_len)
+				      double rep_last_time, int reply_len, int extra_elements)
 	{
 	// Returns a new val_list that already has a conn_val, and nfs3_info.
 	// These are the first parameters for each nfs_* event ...
-	val_list *vl = new val_list;
+	val_list vl(2 + extra_elements);
-	vl->append(analyzer->BuildConnVal());
+	vl.append(analyzer->BuildConnVal());
 	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
 	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
@ -346,7 +346,7 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	info->Assign(11, new StringVal(c->MachineName()));
 	info->Assign(12, auxgids);
-	vl->append(info);
+	vl.append(info);
 	return vl;
 	}
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@ -22,10 +22,10 @@ protected:
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
 	// ...
-	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::NFS3::status_t nfs_status,
 				double rep_start_time, double rep_last_time,
-				int reply_len);
+				int reply_len, int extra_elements);
 	// These methods parse the appropriate NFSv3 "type" out of buf. If
 	// there are any errors (i.e., buffer to short, etc), buf will be set
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@ -261,10 +261,10 @@ uint32 PortmapperInterp::CheckPort(uint32 port)
 		{
 		if ( pm_bad_port )
 			{
-			val_list* vl = new val_list;
+			analyzer->ConnectionEventFast(pm_bad_port, {
-			vl->append(analyzer->BuildConnVal());
+				analyzer->BuildConnVal(),
-			vl->append(val_mgr->GetCount(port));
+				val_mgr->GetCount(port),
-			analyzer->ConnectionEvent(pm_bad_port, vl);
+			});
 			}
 		port = 0;
@ -282,25 +282,25 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
 		return;
 		}
-	val_list* vl = new val_list;
+	val_list vl;
-	vl->append(analyzer->BuildConnVal());
+	vl.append(analyzer->BuildConnVal());
 	if ( status == BifEnum::RPC_SUCCESS )
 		{
 		if ( request )
-			vl->append(request);
+			vl.append(request);
 		if ( reply )
-			vl->append(reply);
+			vl.append(reply);
 		}
 	else
 		{
-		vl->append(BifType::Enum::rpc_status->GetVal(status));
+		vl.append(BifType::Enum::rpc_status->GetVal(status));
 		if ( request )
-			vl->append(request);
+			vl.append(request);
 		}
-	analyzer->ConnectionEvent(f, vl);
+	analyzer->ConnectionEventFast(f, std::move(vl));
 	}
 Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@ -330,16 +330,16 @@ void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status st
 	{
 	if ( rpc_dialogue )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(rpc_dialogue, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(c->Program()));
+			val_mgr->GetCount(c->Program()),
-		vl->append(val_mgr->GetCount(c->Version()));
+			val_mgr->GetCount(c->Version()),
-		vl->append(val_mgr->GetCount(c->Proc()));
+			val_mgr->GetCount(c->Proc()),
-		vl->append(BifType::Enum::rpc_status->GetVal(status));
+			BifType::Enum::rpc_status->GetVal(status),
-		vl->append(new Val(c->StartTime(), TYPE_TIME));
+			new Val(c->StartTime(), TYPE_TIME),
-		vl->append(val_mgr->GetCount(c->CallLen()));
+			val_mgr->GetCount(c->CallLen()),
-		vl->append(val_mgr->GetCount(reply_len));
+			val_mgr->GetCount(reply_len),
-		analyzer->ConnectionEvent(rpc_dialogue, vl);
+		});
 		}
 	}
@ -347,14 +347,14 @@ void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
 	{
 	if ( rpc_call )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(rpc_call, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(c->XID()));
+			val_mgr->GetCount(c->XID()),
-		vl->append(val_mgr->GetCount(c->Program()));
+			val_mgr->GetCount(c->Program()),
-		vl->append(val_mgr->GetCount(c->Version()));
+			val_mgr->GetCount(c->Version()),
-		vl->append(val_mgr->GetCount(c->Proc()));
+			val_mgr->GetCount(c->Proc()),
-		vl->append(val_mgr->GetCount(c->CallLen()));
+			val_mgr->GetCount(c->CallLen()),
-		analyzer->ConnectionEvent(rpc_call, vl);
+		});
 		}
 	}
@ -362,12 +362,12 @@ void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status,
 	{
 	if ( rpc_reply )
 		{
-		val_list* vl = new val_list;
+		analyzer->ConnectionEventFast(rpc_reply, {
-		vl->append(analyzer->BuildConnVal());
+			analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetCount(xid));
+			val_mgr->GetCount(xid),
-		vl->append(BifType::Enum::rpc_status->GetVal(status));
+			BifType::Enum::rpc_status->GetVal(status),
-		vl->append(val_mgr->GetCount(reply_len));
+			val_mgr->GetCount(reply_len),
-		analyzer->ConnectionEvent(rpc_reply, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-nt-create-andx.pac
@ -6,6 +6,8 @@ refine connection SMB_Conn += {
 		     BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
 			{
 			set_tree_is_pipe(${header.tid});
 			if ( smb_pipe_connect_heuristic )
 				BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
 				                                              bro_analyzer()->Conn());
 			}
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@ -66,6 +66,7 @@ refine connection SMB_Conn += {
 			}
 		else
 			{
 			if ( smb1_error )
 				BifEvent::generate_smb1_error(bro_analyzer(),
 				                              bro_analyzer()->Conn(),
 				                              BuildHeaderVal(h), is_orig);
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@ -7,6 +7,8 @@ refine connection SMB_Conn += {
 		     BifConst::SMB::pipe_filenames->AsTable()->Lookup(filename->CheckString()) )
 			{
 			set_tree_is_pipe(${h.tree_id});
 			if ( smb_pipe_connect_heuristic )
 				BifEvent::generate_smb_pipe_connect_heuristic(bro_analyzer(),
 				                                              bro_analyzer()->Conn());
 			}
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@ -220,11 +220,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 			if ( smtp_data && ! skip_data )
 				{
-				val_list* vl = new val_list;
+				ConnectionEventFast(smtp_data, {
-				vl->append(BuildConnVal());
+					BuildConnVal(),
-				vl->append(val_mgr->GetBool(orig));
+					val_mgr->GetBool(orig),
-				vl->append(new StringVal(data_len, line));
+					new StringVal(data_len, line),
-				ConnectionEvent(smtp_data, vl);
+				});
 				}
 			}
@ -350,15 +350,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 						break;
 				}
-				val_list* vl = new val_list;
+				ConnectionEventFast(smtp_reply, {
-				vl->append(BuildConnVal());
+					BuildConnVal(),
-				vl->append(val_mgr->GetBool(orig));
+					val_mgr->GetBool(orig),
-				vl->append(val_mgr->GetCount(reply_code));
+					val_mgr->GetCount(reply_code),
-				vl->append(new StringVal(cmd));
+					new StringVal(cmd),
-				vl->append(new StringVal(end_of_line - line, line));
+					new StringVal(end_of_line - line, line),
-				vl->append(val_mgr->GetBool((pending_reply > 0)));
+					val_mgr->GetBool((pending_reply > 0)),
-
+				});
 				ConnectionEvent(smtp_reply, vl);
 				}
 			}
@ -411,10 +410,8 @@ void SMTP_Analyzer::StartTLS()
 	if ( ssl )
 		AddChildAnalyzer(ssl);
-	val_list* vl = new val_list;
+	if ( smtp_starttls )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(smtp_starttls, {BuildConnVal()});
 	ConnectionEvent(smtp_starttls, vl);
 	}
@ -856,14 +853,14 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
 				int arg_len, const char* arg)
 	{
 	ProtocolConfirmation();
 	val_list* vl = new val_list;
-	vl->append(BuildConnVal());
+	if ( smtp_request )
-	vl->append(val_mgr->GetBool(orig_is_sender));
+		ConnectionEventFast(smtp_request, {
-	vl->append((new StringVal(cmd_len, cmd))->ToUpper());
+			BuildConnVal(),
-	vl->append(new StringVal(arg_len, arg));
+			val_mgr->GetBool(orig_is_sender),
-
+			(new StringVal(cmd_len, cmd))->ToUpper(),
-	ConnectionEvent(smtp_request, vl);
+			new StringVal(arg_len, arg),
 		});
 	}
 void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,17 +871,16 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
 	if ( smtp_unexpected )
 		{
 		val_list* vl = new val_list;
 		int is_orig = is_sender;
 		if ( ! orig_is_sender )
 			is_orig = ! is_orig;
-		vl->append(BuildConnVal());
+		ConnectionEventFast(smtp_unexpected, {
-		vl->append(val_mgr->GetBool(is_orig));
+			BuildConnVal(),
-		vl->append(new StringVal(msg));
+			val_mgr->GetBool(is_orig),
-		vl->append(new StringVal(detail_len, detail));
+			new StringVal(msg),
-
+			new StringVal(detail_len, detail),
-		ConnectionEvent(smtp_unexpected, vl);
+		});
 		}
 	}
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@ -22,8 +22,11 @@ refine connection SOCKS_Conn += {
 	function socks4_request(request: SOCKS4_Request): bool
 		%{
 		if ( socks_request )
 			{
 			RecordVal* sa = new RecordVal(socks_address);
 			sa->Assign(0, new AddrVal(htonl(${request.addr})));
 			if ( ${request.v4a} )
 				sa->Assign(1, array_to_string(${request.name}));
@ -34,6 +37,7 @@ refine connection SOCKS_Conn += {
 			                                 sa,
 			                                 val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
 			                                 array_to_string(${request.user}));
 			}
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -42,6 +46,8 @@ refine connection SOCKS_Conn += {
 	function socks4_reply(reply: SOCKS4_Reply): bool
 		%{
 		if ( socks_reply )
 			{
 			RecordVal* sa = new RecordVal(socks_address);
 			sa->Assign(0, new AddrVal(htonl(${reply.addr})));
@ -51,6 +57,7 @@ refine connection SOCKS_Conn += {
 			                               ${reply.status},
 			                               sa,
 			                               val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
 			}
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -97,6 +104,7 @@ refine connection SOCKS_Conn += {
 				return false;
 			}
 		if ( socks_request )
 			BifEvent::generate_socks_request(bro_analyzer(),
 			                                 bro_analyzer()->Conn(),
 			                                 5,
@ -104,6 +112,8 @@ refine connection SOCKS_Conn += {
 			                                 sa,
 			                                 val_mgr->GetPort(${request.port}, TRANSPORT_TCP),
 			                                 val_mgr->GetEmptyString());
 		else
 			Unref(sa);
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@ -136,12 +146,15 @@ refine connection SOCKS_Conn += {
 				return false;
 			}
 		if ( socks_reply )
 			BifEvent::generate_socks_reply(bro_analyzer(),
 			                               bro_analyzer()->Conn(),
 			                               5,
 			                               ${reply.reply},
 			                               sa,
 			                               val_mgr->GetPort(${reply.port}, TRANSPORT_TCP));
 		else
 			Unref(sa);
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@ -150,6 +163,9 @@ refine connection SOCKS_Conn += {
 	function socks5_auth_request_userpass(request: SOCKS5_Auth_Request_UserPass_v1): bool
 		%{
 		if ( ! socks_login_userpass_request )
 			return true;
 		StringVal* user = new StringVal(${request.username}.length(), (const char*) ${request.username}.begin());
 		StringVal* pass = new StringVal(${request.password}.length(), (const char*) ${request.password}.begin());
@ -173,6 +189,7 @@ refine connection SOCKS_Conn += {
 	function socks5_auth_reply_userpass(reply: SOCKS5_Auth_Reply_UserPass_v1): bool
 		%{
 		if ( socks_login_userpass_reply )
 			BifEvent::generate_socks_login_userpass_reply(bro_analyzer(),
 			                                              bro_analyzer()->Conn(),
 			                                              ${reply.code});
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@ -17,8 +17,8 @@ refine connection SSL_Conn += {
 	function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
 		%{
-		BifEvent::generate_ssl_established(bro_analyzer(),
+		if ( ssl_established )
-				bro_analyzer()->Conn());
+			BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
 		return true;
 		%}
--- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
@ -31,6 +31,7 @@ refine connection SSL_Conn += {
 	function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
 		%{
 		if ( ssl_alert )
 			BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
 							${rec.is_orig}, level, desc);
 		return true;
@ -50,8 +51,8 @@ refine connection SSL_Conn += {
 		      established_ == false )
 			{
 			established_ = true;
-			BifEvent::generate_ssl_established(bro_analyzer(),
+			if ( ssl_established )
-							bro_analyzer()->Conn());
+				BifEvent::generate_ssl_established(bro_analyzer(), bro_analyzer()->Conn());
 			}
 		if ( ssl_encrypted_data )
@ -72,6 +73,7 @@ refine connection SSL_Conn += {
 	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
 		%{
 		if ( ssl_heartbeat )
 			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
 				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
 				new StringVal(data.length(), (const char*) data.data()));
@ -93,6 +95,7 @@ refine connection SSL_Conn += {
 	function proc_ccs(rec: SSLRecord) : bool
 		%{
 		if ( ssl_change_cipher_spec )
 			BifEvent::generate_ssl_change_cipher_spec(bro_analyzer(),
 				bro_analyzer()->Conn(), ${rec.is_orig});
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -72,6 +72,9 @@ refine connection Handshake_Conn += {
 	function proc_ec_point_formats(rec: HandshakeRecord, point_format_list: uint8[]) : bool
 		%{
 		if ( ! ssl_extension_ec_point_formats )
 			return true;
 		VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
 		if ( point_format_list )
@ -88,6 +91,9 @@ refine connection Handshake_Conn += {
 	function proc_elliptic_curves(rec: HandshakeRecord, list: uint16[]) : bool
 		%{
 		if ( ! ssl_extension_elliptic_curves )
 			return true;
 		VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
 		if ( list )
@ -104,6 +110,9 @@ refine connection Handshake_Conn += {
 	function proc_client_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry[]) : bool
 		%{
 		if ( ! ssl_extension_key_share )
 			return true;
 		VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
 		if ( keyshare )
@ -113,11 +122,15 @@ refine connection Handshake_Conn += {
 			}
 		BifEvent::generate_ssl_extension_key_share(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, nglist);
 		return true;
 		%}
 	function proc_server_key_share(rec: HandshakeRecord, keyshare: KeyShareEntry) : bool
 		%{
 		if ( ! ssl_extension_key_share )
 			return true;
 		VectorVal* nglist = new VectorVal(internal_type("index_vec")->AsVectorType());
 		nglist->Assign(0u, val_mgr->GetCount(keyshare->namedgroup()));
@ -127,6 +140,9 @@ refine connection Handshake_Conn += {
 	function proc_signature_algorithm(rec: HandshakeRecord, supported_signature_algorithms: SignatureAndHashAlgorithm[]) : bool
 		%{
 		if ( ! ssl_extension_signature_algorithm )
 			return true;
 		VectorVal* slist = new VectorVal(internal_type("signature_and_hashalgorithm_vec")->AsVectorType());
 		if ( supported_signature_algorithms )
@ -147,6 +163,9 @@ refine connection Handshake_Conn += {
 	function proc_apnl(rec: HandshakeRecord, protocols: ProtocolName[]) : bool
 		%{
 		if ( ! ssl_extension_application_layer_protocol_negotiation )
 			return true;
 		VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
 		if ( protocols )
@ -183,14 +202,20 @@ refine connection Handshake_Conn += {
 				}
 			}
 		if ( ssl_extension_server_name )
 			BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
 		   	   ${rec.is_orig}, servers);
 		else
 			Unref(servers);
 		return true;
 		%}
 	function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
 		%{
 		if ( ! ssl_extension_supported_versions )
 			return true;
 		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
 		if ( versions_list )
@ -207,6 +232,9 @@ refine connection Handshake_Conn += {
 	function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool
 		%{
 		if ( ! ssl_extension_supported_versions )
 			return true;
 		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
 		versions->Assign(0u, val_mgr->GetCount(version));
@ -218,6 +246,9 @@ refine connection Handshake_Conn += {
 	function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
 		%{
 		if ( ! ssl_extension_psk_key_exchange_modes )
 			return true;
 		VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
 		if ( mode_list )
@ -272,10 +303,11 @@ refine connection Handshake_Conn += {
 			                 response.length(), bro_analyzer()->GetAnalyzerTag(),
 			                 bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
 			if ( ssl_stapled_ocsp )
 				BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
-							    bro_analyzer()->Conn(), ${rec.is_orig},
+				        bro_analyzer()->Conn(),
-							    new StringVal(response.length(),
+				        ${rec.is_orig},
-							    (const char*) response.data()));
+				        new StringVal(response.length(), (const char*) response.data()));
 			file_mgr->EndOfFile(file_id);
 			}
@ -288,11 +320,16 @@ refine connection Handshake_Conn += {
 		if ( ${kex.curve_type} != NAMED_CURVE )
 			return true;
 		if ( ssl_server_curve )
 			BifEvent::generate_ssl_server_curve(bro_analyzer(),
 				bro_analyzer()->Conn(), ${kex.params.curve});
 		if ( ssl_ecdh_server_params )
 			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
 				bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
 		if ( ssl_server_signature )
 			{
 			RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
 			if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
 				{
@ -308,6 +345,7 @@ refine connection Handshake_Conn += {
 			BifEvent::generate_ssl_server_signature(bro_analyzer(),
 				bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
 			}
 		return true;
 		%}
@ -317,8 +355,11 @@ refine connection Handshake_Conn += {
 		if ( ${kex.curve_type} != NAMED_CURVE )
 			return true;
 		if ( ssl_server_curve )
 			BifEvent::generate_ssl_server_curve(bro_analyzer(),
 				bro_analyzer()->Conn(), ${kex.params.curve});
 		if ( ssl_ecdh_server_params )
 			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
 				bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
@ -327,24 +368,33 @@ refine connection Handshake_Conn += {
 	function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
 		%{
 		if ( ssl_rsa_client_pms )
 			BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
 		return true;
 		%}
 	function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
 		%{
 		if ( ssl_dh_client_params )
 			BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
 		return true;
 		%}
 	function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
 		%{
 		if ( ssl_ecdh_client_params )
 			BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
 		return true;
 		%}
 	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
 		%{
 		if ( ! ssl_extension_signed_certificate_timestamp )
 			return true;
 		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
 		ha->Assign(0, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()));
 		ha->Assign(1, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()));
@ -363,6 +413,7 @@ refine connection Handshake_Conn += {
 	function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
 		%{
 		if ( ssl_ecdh_server_params )
 			BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
 			  bro_analyzer()->Conn(),
 			  new StringVal(p.length(), (const char*) p.data()),
@ -370,6 +421,8 @@ refine connection Handshake_Conn += {
 			  new StringVal(Ys.length(), (const char*) Ys.data())
 			  );
 		if ( ssl_server_signature )
 			{
 			RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
 			if ( ${signed_params.uses_signature_and_hashalgorithm} )
 				{
@ -387,12 +440,14 @@ refine connection Handshake_Conn += {
 			  bro_analyzer()->Conn(), ha,
 			  new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
 			  );
 			}
 		return true;
 		%}
 	function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
 		%{
 		if ( ssl_dh_server_params )
 			BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
 			  bro_analyzer()->Conn(),
 			  new StringVal(p.length(), (const char*) p.data()),
@ -405,6 +460,7 @@ refine connection Handshake_Conn += {
 	function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool
 		%{
 		if ( ssl_handshake_message )
 			BifEvent::generate_ssl_handshake_message(bro_analyzer(),
 				bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length));
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@ -139,25 +139,23 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
 	if ( ! f )
 		return;
 	val_list* vl = new val_list;
 	vl->append(val_mgr->GetInt(id1));
 	if ( id2 >= 0 )
-		vl->append(val_mgr->GetInt(id2));
+		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
 	else
 		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
 	endp->TCP()->ConnectionEvent(f, vl);
 	}
 void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
 	{
-	val_list* vl = new val_list;
+	if ( ! stp_create_endp )
 		return;
-	vl->append(endp->TCP()->BuildConnVal());
+	endp->TCP()->ConnectionEventFast(stp_create_endp, {
-	vl->append(val_mgr->GetInt(stp_id));
+		endp->TCP()->BuildConnVal(),
-	vl->append(val_mgr->GetBool(is_orig));
+		val_mgr->GetInt(stp_id),
-
+		val_mgr->GetBool(is_orig),
-	endp->TCP()->ConnectionEvent(stp_create_endp, vl);
+	});
 	}
 SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
--- a/src/analyzer/protocol/syslog/syslog-analyzer.pac
+++ b/src/analyzer/protocol/syslog/syslog-analyzer.pac
@ -11,6 +11,9 @@ flow Syslog_Flow
 	function process_syslog_message(m: Syslog_Message): bool
 		%{
 		if ( ! syslog_message )
 			return true;
 		if ( ${m.has_pri} )
 			BifEvent::generate_syslog_message(
 			    connection()->bro_analyzer(),
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -299,11 +299,11 @@ static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
 			if ( OS_val )
 				{ // found new OS version
-				val_list* vl = new val_list;
+				tcp->ConnectionEventFast(OS_version_found, {
-				vl->append(tcp->BuildConnVal());
+					tcp->BuildConnVal(),
-				vl->append(src_addr_val->Ref());
+					src_addr_val->Ref(),
-				vl->append(OS_val);
+					OS_val,
-				tcp->ConnectionEvent(OS_version_found, vl);
+				});
 				}
 			}
@ -965,20 +965,17 @@ void TCP_Analyzer::GeneratePacketEvent(
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags)
 	{
-	val_list* vl = new val_list();
+	ConnectionEventFast(tcp_packet, {
-
+		BuildConnVal(),
-	vl->append(BuildConnVal());
+		val_mgr->GetBool(is_orig),
-	vl->append(val_mgr->GetBool(is_orig));
+		new StringVal(flags.AsString()),
-	vl->append(new StringVal(flags.AsString()));
+		val_mgr->GetCount(rel_seq),
-	vl->append(val_mgr->GetCount(rel_seq));
+		val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
-	vl->append(val_mgr->GetCount(flags.ACK() ? rel_ack : 0));
+		val_mgr->GetCount(len),
 	vl->append(val_mgr->GetCount(len));
 		// We need the min() here because Ethernet padding can lead to
 		// caplen > len.
-	vl->append(new StringVal(min(caplen, len), (const char*) data));
+		new StringVal(min(caplen, len), (const char*) data),
-
+	});
 	ConnectionEvent(tcp_packet, vl);
 	}
 int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1283,10 +1280,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		if ( connection_SYN_packet )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(connection_SYN_packet, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(SYN_vals->Ref());
+				SYN_vals->Ref(),
-			ConnectionEvent(connection_SYN_packet, vl);
+			});
 			}
 		passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
@ -1510,14 +1507,12 @@ int TCP_Analyzer::TCPOptionEvent(unsigned int opt,
 	{
 	if ( tcp_option )
 		{
-		val_list* vl = new val_list();
+		analyzer->ConnectionEventFast(tcp_option, {
-
+			analyzer->BuildConnVal(),
-		vl->append(analyzer->BuildConnVal());
+			val_mgr->GetBool(is_orig),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetCount(opt),
-		vl->append(val_mgr->GetCount(opt));
+			val_mgr->GetCount(optlen),
-		vl->append(val_mgr->GetCount(optlen));
+		});
 		analyzer->ConnectionEvent(tcp_option, vl);
 		}
 	return 0;
@ -1833,10 +1828,10 @@ void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	{
 	if ( connection_EOF )
 		{
-		val_list* vl = new val_list();
+		ConnectionEventFast(connection_EOF, {
-		vl->append(BuildConnVal());
+			BuildConnVal(),
-		vl->append(val_mgr->GetBool(endp->IsOrig()));
+			val_mgr->GetBool(endp->IsOrig()),
-		ConnectionEvent(connection_EOF, vl);
+		});
 		}
 	const analyzer_list& children(GetChildren());
@ -2115,15 +2110,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
 		if ( tcp_rexmit )
 			{
-			val_list* vl = new val_list();
+			endp->TCP()->ConnectionEventFast(tcp_rexmit, {
-			vl->append(endp->TCP()->BuildConnVal());
+				endp->TCP()->BuildConnVal(),
-			vl->append(val_mgr->GetBool(endp->IsOrig()));
+				val_mgr->GetBool(endp->IsOrig()),
-			vl->append(val_mgr->GetCount(seq));
+				val_mgr->GetCount(seq),
-			vl->append(val_mgr->GetCount(len));
+				val_mgr->GetCount(len),
-			vl->append(val_mgr->GetCount(data_in_flight));
+				val_mgr->GetCount(data_in_flight),
-			vl->append(val_mgr->GetCount(endp->peer->window));
+				val_mgr->GetCount(endp->peer->window),
-
+			});
 			endp->TCP()->ConnectionEvent(tcp_rexmit, vl);
 			}
 		}
 	else
@ -2171,11 +2165,12 @@ void TCPStats_Analyzer::Done()
 	{
 	TCP_ApplicationAnalyzer::Done();
-	val_list* vl = new val_list;
+	if ( conn_stats )
-	vl->append(BuildConnVal());
+		ConnectionEventFast(conn_stats, {
-	vl->append(orig_stats->BuildStats());
+			BuildConnVal(),
-	vl->append(resp_stats->BuildStats());
+			orig_stats->BuildStats(),
-	ConnectionEvent(conn_stats, vl);
+			resp_stats->BuildStats(),
 		});
 	}
 void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@ -237,11 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
 			if ( contents_file_write_failure )
 				{
-				val_list* vl = new val_list();
+				tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-				vl->append(Conn()->BuildConnVal());
+					Conn()->BuildConnVal(),
-				vl->append(val_mgr->GetBool(IsOrig()));
+					val_mgr->GetBool(IsOrig()),
-				vl->append(new StringVal(buf));
+					new StringVal(buf),
-				tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl);
+				});
 				}
 			}
 		}
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@ -145,12 +145,12 @@ void TCP_Reassembler::Gap(uint64 seq, uint64 len)
 	if ( report_gap(endp, endp->peer) )
 		{
-		val_list* vl = new val_list;
+		dst_analyzer->ConnectionEventFast(content_gap, {
-		vl->append(dst_analyzer->BuildConnVal());
+			dst_analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(IsOrig()));
+			val_mgr->GetBool(IsOrig()),
-		vl->append(val_mgr->GetCount(seq));
+			val_mgr->GetCount(seq),
-		vl->append(val_mgr->GetCount(len));
+			val_mgr->GetCount(len),
-		dst_analyzer->ConnectionEvent(content_gap, vl);
+		});
 		}
 	if ( type == Direct )
@ -344,11 +344,11 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
 	if ( contents_file_write_failure )
 		{
-		val_list* vl = new val_list();
+		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-		vl->append(Endpoint()->Conn()->BuildConnVal());
+			Endpoint()->Conn()->BuildConnVal(),
-		vl->append(val_mgr->GetBool(IsOrig()));
+			val_mgr->GetBool(IsOrig()),
-		vl->append(new StringVal("TCP reassembler content write failure"));
+			new StringVal("TCP reassembler content write failure"),
-		tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl);
+		});
 		}
 	}
@ -361,11 +361,11 @@ void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
 	if ( contents_file_write_failure )
 		{
-		val_list* vl = new val_list();
+		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-		vl->append(Endpoint()->Conn()->BuildConnVal());
+			Endpoint()->Conn()->BuildConnVal(),
-		vl->append(val_mgr->GetBool(IsOrig()));
+			val_mgr->GetBool(IsOrig()),
-		vl->append(new StringVal("TCP reassembler gap write failure"));
+			new StringVal("TCP reassembler gap write failure"),
-		tcp_analyzer->ConnectionEvent(contents_file_write_failure, vl);
+		});
 		}
 	}
@ -434,12 +434,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 		BroString* b1_s = new BroString((const u_char*) b1, n, 0);
 		BroString* b2_s = new BroString((const u_char*) b2, n, 0);
-		val_list* vl = new val_list(3);
+		tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
-		vl->append(tcp_analyzer->BuildConnVal());
+			tcp_analyzer->BuildConnVal(),
-		vl->append(new StringVal(b1_s));
+			new StringVal(b1_s),
-		vl->append(new StringVal(b2_s));
+			new StringVal(b2_s),
-		vl->append(new StringVal(flags.AsString()));
+			new StringVal(flags.AsString()),
-		tcp_analyzer->ConnectionEvent(rexmit_inconsistency, vl);
+		});
 		}
 	}
@ -605,13 +605,12 @@ void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
 	if ( deliver_tcp_contents )
 		{
-		val_list* vl = new val_list();
+		tcp_analyzer->ConnectionEventFast(tcp_contents, {
-		vl->append(tcp_analyzer->BuildConnVal());
+			tcp_analyzer->BuildConnVal(),
-		vl->append(val_mgr->GetBool(IsOrig()));
+			val_mgr->GetBool(IsOrig()),
-		vl->append(val_mgr->GetCount(seq));
+			val_mgr->GetCount(seq),
-		vl->append(new StringVal(len, (const char*) data));
+			new StringVal(len, (const char*) data),
-
+		});
 		tcp_analyzer->ConnectionEvent(tcp_contents, vl);
 		}
 	// Q. Can we say this because it is already checked in DataSent()?
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@ -157,11 +157,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		if ( do_udp_contents )
 			{
-			val_list* vl = new val_list;
+			ConnectionEventFast(udp_contents, {
-			vl->append(BuildConnVal());
+				BuildConnVal(),
-			vl->append(val_mgr->GetBool(is_orig));
+				val_mgr->GetBool(is_orig),
-			vl->append(new StringVal(len, (const char*) data));
+				new StringVal(len, (const char*) data),
-			ConnectionEvent(udp_contents, vl);
+			});
 			}
 		Unref(port_val);
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@ -32,6 +32,7 @@ refine connection XMPP_Conn += {
 		if ( !is_orig && ( token == "proceed" || token_no_ns == "proceed" ) && client_starttls )
 			{
 			bro_analyzer()->StartTLS();
 			if ( xmpp_starttls )
 				BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
 			}
 		else if ( !is_orig && token == "proceed" )
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@ -540,9 +540,11 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 	std::string serial_data(data, len);
 	free(data);
-	val_list vl(2);
+	val_list vl{
-	vl.append(stream->Ref());
+		stream->Ref(),
-	vl.append(new StringVal(path));
+		new StringVal(path),
 	};
 	Val* v = log_topic_func->Call(&vl);
 	if ( ! v )
@ -993,7 +995,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
 		return;
 		}
-	auto vl = new val_list;
+	val_list vl(args.size());
 	for ( auto i = 0u; i < args.size(); ++i )
 		{
@ -1002,7 +1004,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
 		auto val = data_to_val(std::move(args[i]), expected_type);
 		if ( val )
-			vl->append(val);
+			vl.append(val);
 		else
 			{
 			reporter->Warning("failed to convert remote event '%s' arg #%d,"
@ -1013,10 +1015,13 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::bro::Event ev)
 			}
 		}
-	if ( static_cast<size_t>(vl->length()) == args.size() )
+	if ( static_cast<size_t>(vl.length()) == args.size() )
-		mgr.QueueEvent(handler, vl, SOURCE_BROKER);
+		mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER);
 	else
-		delete_vals(vl);
+		{
 		loop_over_list(vl, i)
 			Unref(vl[i]);
 		}
 	}
 bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
@ -1242,6 +1247,9 @@ void Manager::ProcessStatus(broker::status stat)
 		break;
 	}
 	if ( ! event )
 		return;
 	auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
 	auto endpoint_info = new RecordVal(ei);
@ -1270,11 +1278,7 @@ void Manager::ProcessStatus(broker::status stat)
 	auto str = stat.message();
 	auto msg = new StringVal(str ? *str : "");
-	auto vl = new val_list;
+	mgr.QueueEventFast(event, {endpoint_info, msg});
 	vl->append(endpoint_info);
 	vl->append(msg);
 	mgr.QueueEvent(event, vl);
 	}
 void Manager::ProcessError(broker::error err)
@ -1351,10 +1355,10 @@ void Manager::ProcessError(broker::error err)
 		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
 		}
-	auto vl = new val_list;
+	mgr.QueueEventFast(Broker::error, {
-	vl->append(BifType::Enum::Broker::ErrorCode->GetVal(ec));
+		BifType::Enum::Broker::ErrorCode->GetVal(ec),
-	vl->append(new StringVal(msg));
+		new StringVal(msg),
-	mgr.QueueEvent(Broker::error, vl);
+	});
 	}
 void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@ -183,9 +183,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
-	val_list vl(2);
+	val_list vl{pool->Ref(), key->Ref()};
 	vl.append(pool->Ref());
 	vl.append(key->Ref());
 	auto topic = topic_func->Call(&vl);
 	if ( ! topic->AsString()->Len() )
@ -226,9 +224,7 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
-	val_list vl(2);
+	val_list vl{pool->Ref(), key->Ref()};
 	vl.append(pool->Ref());
 	vl.append(key->Ref());
 	auto topic = topic_func->Call(&vl);
 	if ( ! topic->AsString()->Len() )
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -154,11 +154,11 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
 	{
 	if ( conn && FileEventAvailable(file_over_new_connection) )
 		{
-		val_list* vl = new val_list();
+		FileEvent(file_over_new_connection, {
-		vl->append(val->Ref());
+			val->Ref(),
-		vl->append(conn->BuildConnVal());
+			conn->BuildConnVal(),
-		vl->append(val_mgr->GetBool(is_orig));
+			val_mgr->GetBool(is_orig),
-		FileEvent(file_over_new_connection, vl);
+		});
 		}
 	}
@ -303,13 +303,11 @@ bool File::SetMime(const string& mime_type)
 	if ( ! FileEventAvailable(file_sniff) )
 		return false;
 	val_list* vl = new val_list();
 	vl->append(val->Ref());
 	RecordVal* meta = new RecordVal(fa_metadata_type);
 	vl->append(meta);
 	meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
 	meta->Assign(meta_inferred_idx, val_mgr->GetBool(0));
-	FileEvent(file_sniff, vl);
+
 	FileEvent(file_sniff, {val->Ref(), meta});
 	return true;
 	}
@ -338,10 +336,7 @@ void File::InferMetadata()
 	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
 	val_list* vl = new val_list();
 	vl->append(val->Ref());
 	RecordVal* meta = new RecordVal(fa_metadata_type);
 	vl->append(meta);
 	if ( ! matches.empty() )
 		{
@ -351,7 +346,7 @@ void File::InferMetadata()
 		             file_analysis::GenMIMEMatchesVal(matches));
 		}
-	FileEvent(file_sniff, vl);
+	FileEvent(file_sniff, {val->Ref(), meta});
 	return;
 	}
@ -463,11 +458,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 			if ( FileEventAvailable(file_reassembly_overflow) )
 				{
-				val_list* vl = new val_list();
+				FileEvent(file_reassembly_overflow, {
-				vl->append(val->Ref());
+					val->Ref(),
-				vl->append(val_mgr->GetCount(current_offset));
+					val_mgr->GetCount(current_offset),
-				vl->append(val_mgr->GetCount(gap_bytes));
+					val_mgr->GetCount(gap_bytes),
-				FileEvent(file_reassembly_overflow, vl);
+				});
 				}
 			}
@ -608,11 +603,11 @@ void File::Gap(uint64 offset, uint64 len)
 	if ( FileEventAvailable(file_gap) )
 		{
-		val_list* vl = new val_list();
+		FileEvent(file_gap, {
-		vl->append(val->Ref());
+			val->Ref(),
-		vl->append(val_mgr->GetCount(offset));
+			val_mgr->GetCount(offset),
-		vl->append(val_mgr->GetCount(len));
+			val_mgr->GetCount(len),
-		FileEvent(file_gap, vl);
+		});
 		}
 	analyzers.DrainModifications();
@ -631,14 +626,18 @@ void File::FileEvent(EventHandlerPtr h)
 	if ( ! FileEventAvailable(h) )
 		return;
-	val_list* vl = new val_list();
+	FileEvent(h, {val->Ref()});
 	vl->append(val->Ref());
 	FileEvent(h, vl);
 	}
 void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	{
-	mgr.QueueEvent(h, vl);
+	FileEvent(h, std::move(*vl));
 	delete vl;
 	}
 void File::FileEvent(EventHandlerPtr h, val_list vl)
 	{
 	mgr.QueueEventFast(h, std::move(vl));
 	if ( h == file_new || h == file_over_new_connection ||
 	     h == file_sniff ||
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -172,6 +172,12 @@ public:
 	 */
 	void FileEvent(EventHandlerPtr h, val_list* vl);
 	/**
 	 * Raises an event related to the file's life-cycle.
 	 * @param h pointer to an event handler.
 	 * @param vl list of argument values to pass to event call.
 	 */
 	void FileEvent(EventHandlerPtr h, val_list vl);
 	/**
 	 * Sets the MIME type for a file to a specific value.
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -443,12 +443,11 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
 	EnumVal* tagval = tag.AsEnumVal();
 	Ref(tagval);
-	val_list* vl = new val_list();
+	mgr.QueueEventFast(get_file_handle, {
-	vl->append(tagval);
+		tagval,
-	vl->append(c->BuildConnVal());
+		c->BuildConnVal(),
-	vl->append(val_mgr->GetBool(is_orig));
+		val_mgr->GetBool(is_orig),
-
+	});
 	mgr.QueueEvent(get_file_handle, vl);
 	mgr.Drain(); // need file handle immediately so we don't have to buffer data
 	return current_file_id;
 	}
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@ -41,12 +41,11 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 	{
 	if ( ! chunk_event ) return true;
-	val_list* args = new val_list;
+	mgr.QueueEventFast(chunk_event, {
-	args->append(GetFile()->GetVal()->Ref());
+		GetFile()->GetVal()->Ref(),
-	args->append(new StringVal(new BroString(data, len, 0)));
+		new StringVal(new BroString(data, len, 0)),
-	args->append(val_mgr->GetCount(offset));
+		val_mgr->GetCount(offset),
-
+	});
 	mgr.QueueEvent(chunk_event, args);
 	return true;
 	}
@ -55,11 +54,10 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len)
 	{
 	if ( ! stream_event ) return true;
-	val_list* args = new val_list;
+	mgr.QueueEventFast(stream_event, {
-	args->append(GetFile()->GetVal()->Ref());
+		GetFile()->GetVal()->Ref(),
-	args->append(new StringVal(new BroString(data, len, 0)));
+		new StringVal(new BroString(data, len, 0)),
-
+	});
 	mgr.QueueEvent(stream_event, args);
 	return true;
 	}
--- a/src/file_analysis/analyzer/entropy/Entropy.cc
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@ -53,8 +53,8 @@ void Entropy::Finalize()
 	if ( ! fed )
 		return;
-	val_list* vl = new val_list();
+	if ( ! file_entropy )
-	vl->append(GetFile()->GetVal()->Ref());
+		return;
 	double montepi, scc, ent, mean, chisq;
 	montepi = scc = ent = mean = chisq = 0.0;
@ -67,6 +67,8 @@ void Entropy::Finalize()
 	ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE));
 	ent_result->Assign(4, new Val(scc,     TYPE_DOUBLE));
-	vl->append(ent_result);
+	mgr.QueueEventFast(file_entropy, {
-	mgr.QueueEvent(file_entropy, vl);
+		GetFile()->GetVal()->Ref(),
 		ent_result,
 	});
 	}
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@ -90,12 +90,12 @@ bool Extract::DeliverStream(const u_char* data, uint64 len)
 	if ( limit_exceeded && file_extraction_limit )
 		{
 		File* f = GetFile();
-		val_list* vl = new val_list();
+		f->FileEvent(file_extraction_limit, {
-		vl->append(f->GetVal()->Ref());
+			f->GetVal()->Ref(),
-		vl->append(Args()->Ref());
+			Args()->Ref(),
-		vl->append(val_mgr->GetCount(limit));
+			val_mgr->GetCount(limit),
-		vl->append(val_mgr->GetCount(len));
+			val_mgr->GetCount(len),
-		f->FileEvent(file_extraction_limit, vl);
+		});
 		// Limit may have been modified by a BIF, re-check it.
 		limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite);
--- a/src/file_analysis/analyzer/hash/Hash.cc
+++ b/src/file_analysis/analyzer/hash/Hash.cc
@ -48,10 +48,12 @@ void Hash::Finalize()
 	if ( ! hash->IsValid() || ! fed )
 		return;
-	val_list* vl = new val_list();
+	if ( ! file_hash )
-	vl->append(GetFile()->GetVal()->Ref());
+		return;
 	vl->append(new StringVal(kind));
 	vl->append(hash->Get());
-	mgr.QueueEvent(file_hash, vl);
+	mgr.QueueEventFast(file_hash, {
 		GetFile()->GetVal()->Ref(),
 		new StringVal(kind),
 		hash->Get(),
 	});
 	}
--- a/Show more
+++ b/Show more
		`@ -1 +1 @@`
			`Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f`				`Subproject commit 7a375f0749f2bc28083863ff7ec44f3fba3510fa`