From 4a5737708c7423a0d4cefe37d196864519efb32e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 22 Jul 2015 10:35:49 -0700
Subject: [PATCH 01/17] Basic IMAP StartTLS analyzer.

Parses certificates out of imap connections using StartTLS. Aborts
processing if StartTLS is not found.
---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/protocols/imap/README            |   5 +
 scripts/base/protocols/imap/__load__.bro      |   2 +
 scripts/base/protocols/imap/main.bro          |  11 +++
 src/analyzer/protocol/CMakeLists.txt          |   1 +
 src/analyzer/protocol/imap/CMakeLists.txt     |  11 +++
 src/analyzer/protocol/imap/IMAP.cc            |  86 ++++++++++++++++++
 src/analyzer/protocol/imap/IMAP.h             |  38 ++++++++
 src/analyzer/protocol/imap/Plugin.cc          |  26 ++++++
 src/analyzer/protocol/imap/imap-analyzer.pac  |  57 ++++++++++++
 src/analyzer/protocol/imap/imap-protocol.pac  |  17 ++++
 src/analyzer/protocol/imap/imap.pac           |  35 +++++++
 .../conn.log                                  |  10 ++
 .../ssl.log                                   |  10 ++
 .../x509.log                                  |  12 +++
 testing/btest/Traces/tls/imap-starttls.pcap   | Bin 0 -> 8511 bytes
 .../scripts/base/protocols/imap/starttls.test |   9 ++
 17 files changed, 331 insertions(+)
 create mode 100644 scripts/base/protocols/imap/README
 create mode 100644 scripts/base/protocols/imap/__load__.bro
 create mode 100644 scripts/base/protocols/imap/main.bro
 create mode 100644 src/analyzer/protocol/imap/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/imap/IMAP.cc
 create mode 100644 src/analyzer/protocol/imap/IMAP.h
 create mode 100644 src/analyzer/protocol/imap/Plugin.cc
 create mode 100644 src/analyzer/protocol/imap/imap-analyzer.pac
 create mode 100644 src/analyzer/protocol/imap/imap-protocol.pac
 create mode 100644 src/analyzer/protocol/imap/imap.pac
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/imap-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/imap/starttls.test

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 473d94fc84..58d2b4b2b9 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -44,6 +44,7 @@
 @load base/protocols/dns
 @load base/protocols/ftp
 @load base/protocols/http
+@load base/protocols/imap
 @load base/protocols/irc
 @load base/protocols/krb
 @load base/protocols/modbus
diff --git a/scripts/base/protocols/imap/README b/scripts/base/protocols/imap/README
new file mode 100644
index 0000000000..ba96748489
--- /dev/null
+++ b/scripts/base/protocols/imap/README
@@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
diff --git a/scripts/base/protocols/imap/__load__.bro b/scripts/base/protocols/imap/__load__.bro
new file mode 100644
index 0000000000..aa3a41ef5e
--- /dev/null
+++ b/scripts/base/protocols/imap/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+
diff --git a/scripts/base/protocols/imap/main.bro b/scripts/base/protocols/imap/main.bro
new file mode 100644
index 0000000000..9f0305c80c
--- /dev/null
+++ b/scripts/base/protocols/imap/main.bro
@@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 467fce83ee..9e824d42d2 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -16,6 +16,7 @@ add_subdirectory(gtpv1)
 add_subdirectory(http)
 add_subdirectory(icmp)
 add_subdirectory(ident)
+add_subdirectory(imap)
 add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(krb)
diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
new file mode 100644
index 0000000000..755221b25a
--- /dev/null
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -0,0 +1,11 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro IMAP)
+bro_plugin_cc(Plugin.cc)
+bro_plugin_cc(IMAP.cc)
+bro_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
+bro_plugin_end()
+
diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
new file mode 100644
index 0000000000..ad38d598ac
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -0,0 +1,86 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "IMAP.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "analyzer/Manager.h"
+
+using namespace analyzer::imap;
+
+IMAP_Analyzer::IMAP_Analyzer(Connection* conn)
+	: tcp::TCP_ApplicationAnalyzer("IMAP", conn)
+	{
+	interp = new binpac::IMAP::IMAP_Conn(this);
+	had_gap = false;
+	tls_active = false;
+	}
+
+IMAP_Analyzer::~IMAP_Analyzer()
+	{
+	delete interp;
+	}
+
+void IMAP_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void IMAP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and abort further
+		// processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can
+		// handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void IMAP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+
+void IMAP_Analyzer::StartTLS()
+	{
+	// StartTLS was called. This means we saw a client starttls followed
+	// by a server proceed. From here on, everything should be a binary
+	// TLS datastream.
+
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
new file mode 100644
index 0000000000..a1f59e5010
--- /dev/null
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_IMAP_IMAP_H
+#define ANALYZER_PROTOCOL_IMAP_IMAP_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "imap_pac.h"
+
+namespace analyzer { namespace imap {
+
+class IMAP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	IMAP_Analyzer(Connection* conn);
+	virtual ~IMAP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+
+	void StartTLS();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new IMAP_Analyzer(conn); }
+
+protected:
+	binpac::IMAP::IMAP_Conn* interp;
+	bool had_gap;
+
+	bool tls_active;
+};
+
+} } // namespace analyzer::*
+
+#endif /* ANALYZER_PROTOCOL_IMAP_IMAP_H */
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
new file mode 100644
index 0000000000..8660879bc3
--- /dev/null
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+
+#include "plugin/Plugin.h"
+
+#include "IMAP.h"
+
+namespace plugin {
+namespace Bro_IMAP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
+
+
+		plugin::Configuration config;
+		config.name = "Bro::IMAP";
+		config.description = "IMAP analyzer StartTLS only";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
new file mode 100644
index 0000000000..918d339cfe
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -0,0 +1,57 @@
+refine connection IMAP_Conn += {
+
+	%member{
+	string client_starttls_id;
+	%}
+
+	%init{
+	%}
+
+	function proc_imap_token(is_orig: bool, tag: bytestring, command: bytestring): bool
+		%{
+		string commands = std_str(command);
+		std::transform(commands.begin(), commands.end(), commands.begin(), ::tolower);
+
+		string tags = std_str(tag);
+
+		//printf("imap %s %s\n", commands.c_str(), tags.c_str());
+
+		if ( !is_orig && tags == "*" && commands == "ok" )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( is_orig && ( command == "capability" || commands == "starttls" ) )
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
+			{
+			bro_analyzer()->ProtocolConfirmation();
+			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
+			bro_analyzer()->SetSkip(true);
+			return true;
+			}
+
+		if ( is_orig && commands == "starttls" )
+			{
+			if ( !client_starttls_id.empty() )
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: client sent duplicate StartTLS");
+
+			client_starttls_id = tags;
+			}
+
+		if ( !is_orig && !client_starttls_id.empty() && tags == client_starttls_id )
+			{
+			if ( commands == "ok" )
+				bro_analyzer()->StartTLS();
+			else
+				reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
+			}
+
+		return true;
+		%}
+
+};
+
+refine typeattr IMAP_TOKEN += &let {
+       proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
+};
+
diff --git a/src/analyzer/protocol/imap/imap-protocol.pac b/src/analyzer/protocol/imap/imap-protocol.pac
new file mode 100644
index 0000000000..15bb753475
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap-protocol.pac
@@ -0,0 +1,17 @@
+type TAG = RE/[[:alnum:][:punct:]]+/;
+type CONTENT = RE/[^\r\n]*/;
+type SPACING = RE/[ ]+/;
+type OPTIONALSPACING = RE/[ ]*/;
+type NEWLINE = RE/[\r\n]+/;
+
+type IMAP_PDU(is_orig: bool) = IMAP_TOKEN(is_orig)[] &until($input.length() == 0);
+
+type IMAP_TOKEN(is_orig: bool) = record {
+	tag : TAG;
+	: SPACING;
+	command: TAG;
+	: OPTIONALSPACING;
+	tagcontent: CONTENT;
+	: NEWLINE;
+};
+
diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac
new file mode 100644
index 0000000000..33382bc26d
--- /dev/null
+++ b/src/analyzer/protocol/imap/imap.pac
@@ -0,0 +1,35 @@
+# binpac file for the IMAP analyzer.
+# Note that we currently do not even try to parse the protocol
+# completely -- this is only supposed to be able to parse imap
+# till StartTLS does (or does not) kick in.
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+namespace analyzer { namespace imap { class IMAP_Analyzer; } }
+namespace binpac { namespace IMAP { class IMAP_Conn; } }
+typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer;
+
+#include "IMAP.h"
+%}
+
+extern type IMAPAnalyzer;
+
+analyzer IMAP withcontext {
+	connection:	 IMAP_Conn;
+	flow:		 IMAP_Flow;
+};
+
+connection IMAP_Conn(bro_analyzer: IMAPAnalyzer) {
+	upflow = IMAP_Flow(true);
+	downflow = IMAP_Flow(false);
+};
+
+%include imap-protocol.pac
+
+flow IMAP_Flow(is_orig: bool) {
+	datagram = IMAP_PDU(is_orig) withcontext(connection, this);
+};
+
+%include imap-analyzer.pac
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
new file mode 100644
index 0000000000..0ae19c2fda
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1437584567.812552	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	(empty)
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
new file mode 100644
index 0000000000..aefbf3d41e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-22-17-31-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437584568.570497	CXWv6p3arKYeMETxOg	192.168.17.53	49640	212.227.17.186	143	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	FOWmhO3rUj3SEB5RTb,FjH9n52SzEIJ9UoVK9,FisDHa396LIaZadgG9	(empty)	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	-	-
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
new file mode 100644
index 0000000000..6d1be68725
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-22-17-31-02
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1437584568.769690	FOWmhO3rUj3SEB5RTb	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	1384251451.000000	1479427199.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-
+1437584568.769690	FjH9n52SzEIJ9UoVK9	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	1362146309.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1437584568.769690	FisDHa396LIaZadgG9	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	931522260.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5
+#close	2015-07-22-17-31-02
diff --git a/testing/btest/Traces/tls/imap-starttls.pcap b/testing/btest/Traces/tls/imap-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f6bfe5458d4c78e9c9023da6c7f835b3a78f6c54
GIT binary patch
literal 8511
zcmds6XIN89x1OCw=p}SPf+$Mg0Rn<V2oNz!lO$9dCDMx!z;;xkVDF+RiXay3sMz%w
zyT^hJ5m69DI*La{4>rD;#0Dtm*M07H?|w4b{atHTduPv7TsTxj03`5j>+S{sgD1ys
z91u{aC;?x1jM~bO17TAtVoDNqV^yet1AtrFH8<c!QAv}Os52|-)lZ&l1}nsa8*d||
zQbKq413v%=Byt%>B$6<Us$jl!oHM#dA^>n4qMOPC;117Gli|u_Ky*5=hXMdjS#5@p
zkp!^fT(e&Z=M<E1XRgM`(+A*N2%SVA5*6SvLc9zS9pEu)ee@lcvli+5QPNA_I}r7>
zznU9(mm@>D&`bavXadxF>xDTA>X2R|M)lI`G}6mo7Z{Rp0L<xrW9eZYY=5>p*PF`^
zp>uuM{`RTD3<lj}G}qfRfa6Q&__E!-IdrZk{K369m&do_1oJt*o*Ylv8IRBA3wZFD
z&k10AThM*{0y%VFwhxEr&-UQZd2F7y6*qv+^9$h9dHx&^F5BBmz~j*QqXRf>PnKVR
zCntd8$rHGb;dt=r0<NdOH-r=T@;Kh;LJ*ffn(Ir4QUdsVZyud3;E!f``+31@(nEi5
zHrIE8RCRiqFf~J%N>3GrM@^@XrYFWmCr-l|c60`A&vY0reZ~s+!39YXR*aBLu3wsM
z1aqtvj;C`N)07pEYl2z`{kZ1JS>&3NxqV$T>bk$0Ye(lonQI<H6i?_})cQEsLGTHo
zSdRTAimn^*_zM7Q`VY6rG+SLo1}+c}wchRq!vs%}yIuG_-973$boUc~HDJi}fv-t7
z)XUt5WS|Gb2DRQ;n4;jBG;~sai3LNacqs~<ANu{@4I5<zYm@>%btN)6F(pAL5=P04
zPOc{R6AqHUkR#76>E*~LekES}VL1H#Hdhu7g%IUi1?dwG_VG6niuSBuqQG#N_W^~&
zxA>RoWq61R0--xm>+L`=T2L<y2HTzv^x6-Dp$+B!%shk$JMJ!wj!mMYtV$9_CyQdk
zMX||A^rYlWnG{nfrJs;{E|oH_my~j;6c}>$Bc<^M|4_)?g;=QGq1ML+!wx=1Hn=^l
zmkrvWCCi~Dzq}nUL&++m0uc;a)Ow>}Q--x7lwhl0qCiW=)BvDO#4sleU`!%WQ@3(p
z;w{s1ezrl?D2tHShd4szi%Tw@ZX7%<<CH;&3IInXxWrO2Ofp!aDNz91K`|%-TR=RB
z1F;|mIDz575q4-HSO9WBw!~IqEispvN>n9euo<ub6U>*`NGv2nB_<M@L>_DdTR|Zx
z0MU>#T){|S2W$ZY;9w)z0P?_kNLHS}1Gq~V5-W+BWQasXLIRth18l%Lzy@*>b%~rr
zNkRZ*K$2)ks6ZRgfErMiC`*Vy0cZgYpbC_LJm@As>j;1%AQ1sZfVT{QKF|Sra6bU(
z!eecq0+iu>^soXjfgVu?bTE*DQ3w<w86y+OkO@fy5|M}zA#D*b0)aq;;24HHX?{cz
zw330e^^QIAV?hIo3WrU7qoUai79u0<BIE-i2qFN$BN7D%Zs5(68*UwLRjPkl`p2q_
zu!M5&neTm6!?FrTa;J==U!#ypLr)PlrN15;LS=Z**x<&Hdw1;3Lf7J&n)b4j781x~
zirvtma0g(=A-4JsMWDVFsBZysd|WK&kBce83#GlF+HEeVYH}L-7p_c^H_sWJ^IjRl
z$Yg+L{l!qk<tan~i9#cIau`E!6Lg|LGvHhCrl*O7iD`6hl1P}EBu$a<1iDvZ#At>Q
zZipUJq-p<njGvmGCZc-?(bEhiTmd~mr4fAtf*2~e5;{|-k(rLROq`*HtDti^nw+mt
zloBIMV$kt{=!!f|M}XcJLZML*E;UvN|E%e@__rsBG#$P$LC6zE(s@$S^AAr;qkD3!
z82CUPWriJt!LViE3`aXgC_Ht5r;fIEOedyOD4w;sXI}^621urYk`}|1LH7xdO`x07
zeS}f5;j&H|;selqDoryWCN@c!5S|oe<sY5^4FQcIWN6@OvQEhRBqxc&Bf`^D8H4db
z-|Z`pX=}-N*(y?)DoS%>q$fo&tfPbsEu4nlB+`^(6T?%iAy-=`2}QUV8}ze#Fft&D
zF;xJsD-gsO2Cle@lpl-;YD`v)v6*r#wk@U9bB^|h3O->`LuFmV9Mx49ub--On>%o9
z>*Pn>?zwx-_F-XGqmH*O)lA9XT^zM>`bXW}_TlvI7p(Ri&$XtrXNfuba>k3Ao6bJE
z6}MxcOULRWP1`r41VP2^8p--C%ELOV7F{!3rEjP+b<kA1CVh)h)6@164OSdCxmrq-
z*tYGLvn|+c-L#^8?{wpWmF3;5NBCqNzi?ISS=E5%aW)nI#Gct15_ivRP3J$OR&=pG
zE4_aZz93TPp<Lion=w(bcQT%L8+k81QC6&7vc8TwsUW7EzG}gyOLd#}*UW$HN}GSG
zaiwPb#EbWu0@GAanZ2a75Qs3^i^aq!Tuhvd8$lBqnvisH?YWu}ezbCj==nGGJ{9`u
zE$PtWW3~p;5HnQ8ux=8GNFWzVBi3*TNgLOsP%S7h`sIj(??;&IwhBp`q&X=$M)&H-
z+z)eosurFIp}xf)Ox%cvAaQh30Pc@_Qsm+LB<zfrG68qQncqMNn6_DrNR;AiW0RSg
zX)S_bnkI~d4!4noK?;mio5++j>ljgD0#2n+qO+7>g@OJxM&L#yF{TSoG;vO$M<F}M
z^($6nYJ&9-fS+Mg6KuZb!lWO$FbU;?HGB!rx>lHVr7-JaPS&}EsBokf+WiJAGKuvS
zYltoW0}Y-aJj>*C*7r<@*QB`)_p)raOzv^BN4<a#p^9M{$%+!XqCAM55*rEACqS5y
z4EK<B6Jpaut`XsB{oH1mL%TSAvonT4OIg4xLvg!r*KjOn=vR9sN2dL*ljv3|?*08G
zLXO+N8W~mo+x=JmMrq~G?^*eM#NxrS%HJ{>fXGzQ?|mgq#j}cjQYvfhe~Z7^9zQ%L
zt>K0=lu!g5;Db@js*_-m6!$1&V#V)8ElT)vJ%e-u>lp@ACJwK@S#rwkg1vVG>C;n1
z-In^YMvLKgdyR`Ku=iaa+b$HChWnlvw}X{ZkiML_|3ltQIq^Zkd-JPFzC*6zWBo#o
zY}uB5#&-=<f*mw>U=6!Er_-W9l)2iXA@G6Ds0sY-yc_Is*G5zvTf_bQ=gNmitG--l
z{F}PC)1*4W<3x9A`Y=Q5_Ac{XZ;GPt%hPr(blkt@;Ym)O(vX?6uD3nw4x(sec_efz
zZ*SAuKKXNtX5g9!QRVd_`=&#Vr@y>bsJTt+9ILY4-%0t(-K9r|U@Hb647+|$b@D?~
zjRcbg3(hp)x=%OgF<!VVF_gb=cIcIhiQmZ86L%2)aXZVB52tbDE&|FHNX+@Tm^|+*
zIU66%oW1mnN=Ywk;Zu9^l>x2~Z4SAa<|#}UrA5XF=_qC6lN0G|uO5{AHIwN*DA@!@
zWd^d2exKI^l9M5Gvmwn&ITW|U84Nq-a9bzDp-!;IIUx?kamb<nkH!oC#<!*OI{X(m
zf=hGe)J+QFY`j~!%)D#I8JjP2EM`9L(qFM7cx!Z$jj#Loij^%Bk5*2wI&p&a`o_#{
z?#D;(aT_pIf0>$G_L5b`0me#SK8Dq4Qw*!OOi->pO3_WR;MS+P8Ez{)Jeak{IJY`v
z>3OfYlV)tFGM@kby?UE!zVkvkLg|Dx5upZ&tbCIYRg3u6>;b{YuV;QJQmnN5Ywh~P
zJkpoZ({0u{yH<x@i1Wyp{l&rBY?9NIt*of}nOko)XDm8)OsQkSu*+^S?gdv9edl?-
zJ+S%4tB%u@#Jv;m7pyC#@B3S5JWTt>i}00?nAJyi9a!KLAvf{!v7#&YR_1*&+h9{r
z6Mye3-x40<VnS6<I>jhI@#Qbs_h))$T$n!KWGC-|PTiszRyqj^hb=bS;TouZNUI4I
zr@*2Dhp_*XB%9TN<Qb8&n((aWxO3s~LWdmt{)<1V{3DMl_Ve}j*baSn?J(~7-PLU7
zSHg3EUvJ#zc-hz6^)vl`IW$T6V`ESL;5mHbk0BiZz(E9Ldr$tP06#zeBoFo^TN%Y~
zFU;Cnn6)J*Ytz3|hKDcfTjnDQmz559gt8xTIUD}jTKWkfng19H^kRCyUqi6HEInAB
z99MR_C?+{IRy6$wy?aA?hg@y)jo+l~tp%^B<L2M4LG~W_6MN&fKaX-`q|N^REFp*4
zzu%y(5Z(4P7UI|~KVf98{;x1tWDkbz`Ee#?OJAC=c_EjSR=K$=LF43+;6EfaOXFL1
zp9(X%l~R<_9$ZGVRU4st{Qk)>)}2AohsQp)s4j_MQ;zvP%-yRvGd7hOpENDAVouZK
z+y?6{Se4Cy;#zwLb%Wbh0d0q=wNv$jPEV%HaAk$ATKV>k`J*E__SS(43HKGNpEqV?
zXYI61CX`-d+FQ?c+kaba6Bx2B<rS-?qvHK3Tdl#=eTus(I##Zb7>vIaq1y1=r~Wlx
z?X~XWE0>(lbx-9N5iFHg<?82+`(w`zd*#bBFYf7@@BaDk+K6(sfJ|?~!VlMobL+R>
zetP<&rE&hYKVNJS`UcD<OFk4^dE4)tCQoT7OTFPOkORbGINXPfNmw9bOU(4YgC?D%
zya+!w8ITuy)8zjGbN?Hg?NKad)-5s9JgAv{z(wu3Q!;bHnEf@a;mdNlZ<C{n^(Rl+
zw##kM{D&3W8>X#MiNW@r@EPx1e(!jRyW5jn#V5rfajOUHHP~29wHPwAE7rv8@47b2
z8Tp+w!tL4iv(6W|fRH_%)k>YVE*5+Jt1B<m&Rct}L}`Pq3Uzc~Slq|zr@_G(cTy_b
zMT>$hpRjND@ik>P3)*%z$5{o~KXUFEpFXbo(HlnB%c*&`7x`MAN?rMa7yF**QVWZ7
z7IR<n$Sd@`@7D%T&%YaI;J)Y5{hhaBRM$O!8lIOCes$HX%8}sND*pvfH!C#mTYuN^
zvhyF;PgfJ|?=KI-I^*PyX&+4*Ge^c|?zr1e%=JrRQk4=D=^HDN`!L@xvUF`!$Udj2
zCbKr$m(UAKXhBy=gI|dde{B3y5zK-!KB)DcGa@7jno;F<mg`yhgIlGQUl$mKaRJDb
zOs<dq*s^HHytC`Xvyv(<usRCnCY>@X%bRg<1i#Hm$7{C!a>Y+Zj1UItP`S<<%PSEM
zf@g!O775DoM(>XLP-);$<vA@h)WkVxedi3^Z~vA!@39uk3yJk3>vmP#oq6|g$+J|K
zeFfcfL!Rez%HEAAz3HTvXWP(f9KP~7!+5#<!S^=IG1+R>O^Y3k{|t$&d!4<I!K>hF
zW~WSlYfZ@<nr>rsd~w&8ODC%wp3iG<5*|An8Tw|_fvmNT73`&zCY1wkb;b<vjNBS}
zawjvSs3C=%uVNCkVXZ>qNvFtRIji63&ae7-=N36IDhN(tVLnO#;}U@mn`G+lKsVmV
zuS(NvO?h{^e8^|<-jAB4`gZSkt4+0-pAo{YHFv(9el6y5HU@U8K1+@u`#;zqaSR77
z?2=>2dFSDv0<3ucR!lOCtT4R#$He4}I_jH&&c(g~-Ct^esp*y-Gv7v;rcN_k;Z$+=
z-uA@y{14Bj;p;0kUZjr-5{#=2)Y+joHDS$z=w*+zt+*`B%9Yz}J|;Im(vE+%roFXx
z-Rxr@>{c(E=qxeW7*t*(_PAIzW7nzmxsU%*?hLndJ^Q7-p)rN3X;S4>G;iP8Js0n{
zsdv>rR+kuEx^lU+O)lWY@e{9RSbQW0W0t=A?iXrw2ose~EVYWcP#iKwkYAIu?m(Qp
z*#oa`=HvBlr+o-p(ya!T@y=_xJ*PfAyuKn>FZn4m^v0siELYE=`cxOIk7Xm=SVvyg
z7vB-P+su73q`ollnE{R_97%9KS2`1Y5XR!~XQH(wXe<-oYl#PqWrADL>f5ugD2iwM
zLwU6Tp{%;ucSID1!x7P=Cr@O$?7yi9${-?Yz2~#Rjx-8FQMvO=6gZzfX@YDnb(9)h
zon({l-S3v4lA@8veBAaRV4P$j<)Fftk@R=xqwV<_mG@k!LrY!+1vW046%p4Gov&f(
znBbVTQa4jP)bIU(m-oE&FimJB3`4dWW_-0yzs4nZ=esg$6g^O5qn~_sb$*3>*M#MU
z*=FwB79VuYTsG&?_01@^KkZh5)8RncdgnF>6SSb*cG2sZ+hI7&?VWHf!szLC0Dck-
zaim*Q?QG+q0|yVznNjvW?(}@i^)oGJSG3;<9lyDF_AP!=Iug8kk4is|Ja3AO2dCtF
zEc-U^^eYLAgf95>L>YjS5M}xU3V?Q$wmvTKD_e$8ZWjI$1-f8s3IICLVuQX~tVC()
z8Bg-dET{O-ofAjSpWoU2gg>12&s_3a9umfc%K+I>7;1fNl_`Mh7jVt?Q!iUZLR*z1
zTa8te2^$07MjN(qSI1@TCbto>XM7lj%iH%Im>VhyZ41Uvy=u?hx~@Q^A3X2HnQgPu
zmr<>&_LKbIHNW%BPI4S^R=ass=J4GUw#P>yrD~v30tkm%AEmqmZBhqX^it}OR4F}R
zB&GtO1udYDG=dx9@52<<t=Y{+d$z~hnbR9h<BlUCT~NsHv#weLnYqNhmzm3<vkpOL
zeXNBmRtUxXTz@D6C4^$d{RPThh|*O%Lx#dW|D(fwT<*2$8A55`{SpPb-1_F%4u5s|
zF4N`2X5+}ogXG9_KGR!?t4f`bs_sz8?>n67frKb(^b+y{cKEKpx*MqF$yB|+O{t$H
aI6dhS+_YXxaA9|mAN)xGEJ{O1X!{RQJcKm>

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/imap/starttls.test b/testing/btest/scripts/base/protocols/imap/starttls.test
new file mode 100644
index 0000000000..380a594c2b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/imap/starttls.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/ssl
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/imap

From 1933299543bce05776f7887cf36a388056cfbe32 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 Jul 2015 11:15:57 -0700
Subject: [PATCH 02/17] Add support of getting server capabilities to IMAP
 parser.

---
 src/analyzer/protocol/imap/CMakeLists.txt     |  1 +
 src/analyzer/protocol/imap/events.bif         | 10 ++++
 src/analyzer/protocol/imap/imap-analyzer.pac  | 20 ++++++-
 src/analyzer/protocol/imap/imap-protocol.pac  | 57 ++++++++++++++++++-
 src/analyzer/protocol/imap/imap.pac           |  2 +
 .../.stdout                                   |  1 +
 .../base/protocols/imap/capabilities.test     | 12 ++++
 7 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 src/analyzer/protocol/imap/events.bif
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/imap/capabilities.test

diff --git a/src/analyzer/protocol/imap/CMakeLists.txt b/src/analyzer/protocol/imap/CMakeLists.txt
index 755221b25a..921dde2444 100644
--- a/src/analyzer/protocol/imap/CMakeLists.txt
+++ b/src/analyzer/protocol/imap/CMakeLists.txt
@@ -6,6 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro IMAP)
 bro_plugin_cc(Plugin.cc)
 bro_plugin_cc(IMAP.cc)
+bro_plugin_bif(events.bif)
 bro_plugin_pac(imap.pac imap-analyzer.pac imap-protocol.pac)
 bro_plugin_end()
 
diff --git a/src/analyzer/protocol/imap/events.bif b/src/analyzer/protocol/imap/events.bif
new file mode 100644
index 0000000000..903d1f0dff
--- /dev/null
+++ b/src/analyzer/protocol/imap/events.bif
@@ -0,0 +1,10 @@
+## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
+## start with an unencrypted handshake, and Bro extracts as much information out
+## of that as it can. This event provides access to the initial information
+## sent by the client.
+##
+## c: The connection.
+##
+## capabilities: The list of IMAP capabilities as sent by the server.
+event imap_capabilities%(c: connection, capabilities: string_vec%);
+
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
index 918d339cfe..67da283609 100644
--- a/src/analyzer/protocol/imap/imap-analyzer.pac
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -49,9 +49,25 @@ refine connection IMAP_Conn += {
 		return true;
 		%}
 
+	function proc_server_capability(capabilities: Capability[]): bool
+		%{
+		VectorVal* capv = new VectorVal(internal_type("string_vec")->AsVectorType());
+		for ( unsigned int i = 0; i< capabilities->size(); i++ )
+			{
+			const bytestring& capability = (*capabilities)[i]->cap();
+			capv ->Assign(i, new StringVal(capability.length(), (const char*)capability.data()));
+			}
+
+		BifEvent::generate_imap_capabilities(bro_analyzer(), bro_analyzer()->Conn(), capv);
+		return true;
+		%}
+
 };
 
-refine typeattr IMAP_TOKEN += &let {
-       proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
+refine typeattr ImapToken += &let {
+	proc: bool = $context.connection.proc_imap_token(is_orig, tag, command);
 };
 
+refine typeattr ServerCapability += &let {
+	proc: bool = $context.connection.proc_server_capability(capabilities);
+};
diff --git a/src/analyzer/protocol/imap/imap-protocol.pac b/src/analyzer/protocol/imap/imap-protocol.pac
index 15bb753475..5fa1e34555 100644
--- a/src/analyzer/protocol/imap/imap-protocol.pac
+++ b/src/analyzer/protocol/imap/imap-protocol.pac
@@ -1,17 +1,70 @@
+# commands that we support parsing. The numbers do not really mean anything
+# in this case
+enum ImapCommand {
+	CMD_CAPABILITY,
+	CMD_UNKNOWN
+}
+
 type TAG = RE/[[:alnum:][:punct:]]+/;
 type CONTENT = RE/[^\r\n]*/;
 type SPACING = RE/[ ]+/;
 type OPTIONALSPACING = RE/[ ]*/;
 type NEWLINE = RE/[\r\n]+/;
+type OPTIONALNEWLINE = RE/[\r\n]*/;
 
-type IMAP_PDU(is_orig: bool) = IMAP_TOKEN(is_orig)[] &until($input.length() == 0);
+type IMAP_PDU(is_orig: bool) = ImapToken(is_orig)[] &until($input.length() == 0);
 
-type IMAP_TOKEN(is_orig: bool) = record {
+type ImapToken(is_orig: bool) = record {
 	tag : TAG;
 	: SPACING;
 	command: TAG;
 	: OPTIONALSPACING;
+	client_or_server: case is_orig of {
+		true -> client: UnknownCommand(this) ;
+		false -> server: ServerContentText(this);
+	} &requires(pcommand) ;
+} &let {
+	pcommand: int = $context.connection.determine_command(is_orig, tag, command);
+};
+
+type ServerContentText(rec: ImapToken) = case rec.pcommand of {
+	CMD_CAPABILITY -> capability: ServerCapability(rec);
+	default -> unknown: UnknownCommand(rec);
+};
+
+type Capability = record {
+	cap: TAG;
+	: OPTIONALSPACING;
+	nl: OPTIONALNEWLINE;
+};
+
+type ServerCapability(rec: ImapToken) = record {
+	capabilities: Capability[] &until($context.connection.strlen($element.nl) > 0);
+};
+
+type UnknownCommand(rec: ImapToken) = record {
 	tagcontent: CONTENT;
 	: NEWLINE;
 };
 
+refine connection IMAP_Conn += {
+
+	function determine_command(is_orig: bool, tag: bytestring, command: bytestring): int
+	%{
+	string cmdstr = std_str(command);
+	std::transform(cmdstr.begin(), cmdstr.end(), cmdstr.begin(), ::tolower);
+	string tagstr = std_str(tag);
+
+	if ( !is_orig && cmdstr == "capability" && tag == "*" ) {
+		return CMD_CAPABILITY;
+	}
+
+	return CMD_UNKNOWN;
+	%}
+
+	function strlen(str: bytestring): int
+	%{
+	return str.length();
+	%}
+
+};
diff --git a/src/analyzer/protocol/imap/imap.pac b/src/analyzer/protocol/imap/imap.pac
index 33382bc26d..f5c7559294 100644
--- a/src/analyzer/protocol/imap/imap.pac
+++ b/src/analyzer/protocol/imap/imap.pac
@@ -7,6 +7,8 @@
 %include bro.pac
 
 %extern{
+#include "events.bif.h"
+
 namespace analyzer { namespace imap { class IMAP_Analyzer; } }
 namespace binpac { namespace IMAP { class IMAP_Conn; } }
 typedef analyzer::imap::IMAP_Analyzer* IMAPAnalyzer;
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout b/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout
new file mode 100644
index 0000000000..bf69e13682
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.capabilities/.stdout
@@ -0,0 +1 @@
+[IMAP4rev1, CHILDREN, ENABLE, ID, IDLE, LIST-EXTENDED, LIST-STATUS, LITERAL+, MOVE, NAMESPACE, SASL-IR, SORT, SPECIAL-USE, THREAD=ORDEREDSUBJECT, UIDPLUS, UNSELECT, WITHIN, STARTTLS, AUTH=LOGIN, AUTH=PLAIN]
diff --git a/testing/btest/scripts/base/protocols/imap/capabilities.test b/testing/btest/scripts/base/protocols/imap/capabilities.test
new file mode 100644
index 0000000000..06bdb56b7d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/imap/capabilities.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/imap
+
+event imap_capabilities(c: connection, capabilities: string_vec)
+	{
+	print capabilities;
+	}

From 7f2087af3433f60635bfb8288f51c312a068107b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 Jul 2015 12:37:40 -0700
Subject: [PATCH 03/17] also generate an event when starttls is encounterd for
 imap.

---
 src/analyzer/protocol/imap/events.bif                       | 4 ++++
 src/analyzer/protocol/imap/imap-analyzer.pac                | 3 +++
 .../Baseline/scripts.base.protocols.imap.starttls/.stdout   | 1 +
 testing/btest/scripts/base/protocols/imap/starttls.test     | 6 ++++++
 4 files changed, 14 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout

diff --git a/src/analyzer/protocol/imap/events.bif b/src/analyzer/protocol/imap/events.bif
index 903d1f0dff..ba83791b13 100644
--- a/src/analyzer/protocol/imap/events.bif
+++ b/src/analyzer/protocol/imap/events.bif
@@ -8,3 +8,7 @@
 ## capabilities: The list of IMAP capabilities as sent by the server.
 event imap_capabilities%(c: connection, capabilities: string_vec%);
 
+## Generated when a IMAP connection goes encrypted
+##
+## c: The connection.
+event imap_starttls%(c: connection%);
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
index 67da283609..de6352d7b9 100644
--- a/src/analyzer/protocol/imap/imap-analyzer.pac
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -41,7 +41,10 @@ refine connection IMAP_Conn += {
 		if ( !is_orig && !client_starttls_id.empty() && tags == client_starttls_id )
 			{
 			if ( commands == "ok" )
+				{
 				bro_analyzer()->StartTLS();
+				BifEvent::generate_imap_starttls(bro_analyzer(), bro_analyzer()->Conn());
+				}
 			else
 				reporter->Weird(bro_analyzer()->Conn(), "IMAP: server refused StartTLS");
 			}
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout
new file mode 100644
index 0000000000..5fbafd3ab3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/.stdout
@@ -0,0 +1 @@
+Tls started for connection
diff --git a/testing/btest/scripts/base/protocols/imap/starttls.test b/testing/btest/scripts/base/protocols/imap/starttls.test
index 380a594c2b..444c27688a 100644
--- a/testing/btest/scripts/base/protocols/imap/starttls.test
+++ b/testing/btest/scripts/base/protocols/imap/starttls.test
@@ -2,8 +2,14 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ssl
 @load base/protocols/conn
 @load base/frameworks/dpd
 @load base/protocols/imap
+
+event imap_starttls(c: connection)
+	{
+	print "Tls started for connection";
+	}

From 6dddd35d218583014938c2ee732cb6a1dfdee0f2 Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Mon, 25 Apr 2016 11:49:04 -0500
Subject: [PATCH 04/17] Correcting spelling errors found under bro 2.4.1+dfsg-2
 here:

https://lintian.debian.org/full/bengen@debian.org.html#bro_2.4.1_x2bdfsg-2
---
 src/RuleCondition.cc          | 2 +-
 src/RuleMatcher.cc            | 2 +-
 src/Serializer.cc             | 2 +-
 src/StateAccess.cc            | 2 +-
 src/broxygen/Configuration.cc | 2 +-
 src/nb_dns.c                  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 68eb13121f..40ef5f0ad1 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -111,7 +111,7 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
 		return payload_size >= val;
 
 	default:
-		reporter->InternalError("unknown comparision type");
+		reporter->InternalError("unknown comparison type");
 	}
 
 	// Should not be reached
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index f40a5c4349..f5b5b82517 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -21,7 +21,7 @@
 //			it may fail to match. Work-around: Insert an always
 //			matching "payload" pattern (not done in snort2bro yet)
 //		  - tcp-state always evaluates to true
-//			(implemented but deactivated for comparision to Snort)
+//			(implemented but deactivated for comparison to Snort)
 
 uint32 RuleHdrTest::idcounter = 0;
 
diff --git a/src/Serializer.cc b/src/Serializer.cc
index 49e57c0216..5c1ae6077c 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -437,7 +437,7 @@ bool Serializer::UnserializeCall(UnserialInfo* info)
 
 bool Serializer::UnserializeStateAccess(UnserialInfo* info)
 	{
-	SetErrorDescr("unserializing state acess");
+	SetErrorDescr("unserializing state access");
 
 	StateAccess* s = StateAccess::Unserialize(info);
 
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
index aa4a1f36d2..6e73c8cf61 100644
--- a/src/StateAccess.cc
+++ b/src/StateAccess.cc
@@ -150,7 +150,7 @@ bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
 
 	if ( should && is )
 		{
-		// There's no general comparision for non-atomic vals currently.
+		// There's no general comparison for non-atomic vals currently.
 		if ( ! (is_atomic_val(is) && is_atomic_val(should)) )
 			return true;
 
diff --git a/src/broxygen/Configuration.cc b/src/broxygen/Configuration.cc
index 264e8e6fcb..4780e6ad99 100644
--- a/src/broxygen/Configuration.cc
+++ b/src/broxygen/Configuration.cc
@@ -65,7 +65,7 @@ Config::Config(const string& arg_file, const string& delim)
 		Target* target = target_factory.Create(tokens[0], tokens[2], tokens[1]);
 
 		if ( ! target )
-			reporter->FatalError("unkown Broxygen target type: %s",
+			reporter->FatalError("unknown Broxygen target type: %s",
 			                     tokens[0].c_str());
 
 		targets.push_back(target);
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 1e5d427924..35059ab4f0 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -389,7 +389,7 @@ nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
 
 	default:
 		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "nb_dns_addr_request2(): uknown address family %d", af);
+		    "nb_dns_addr_request2(): unknown address family %d", af);
 		return (-1);
 	}
 

From 41606e18fb555b0425bfb32d6777e0abfeb95aeb Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 25 Apr 2016 16:54:47 -0700
Subject: [PATCH 05/17] Intel: Allow to provide uid/fuid instead of conn/f.

This patch allows users to provide the fuid or the connection id
directly, in case they do not have access to either in the event that
they handle.

An example for this is the handling of certificates in SSL, where the
fa_file record cannot be retained because this would create a cyclic
data structure.

This patch also provides file IDs for hostname matches in certificates,
which was not possible with the previous API.
---
 scripts/base/frameworks/intel/main.bro        | 33 +++++++++++++++----
 scripts/policy/frameworks/intel/seen/ssl.bro  |  1 +
 .../intel-all.log                             | 14 ++++----
 3 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index eba27ca56a..d334210db6 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -77,23 +77,35 @@ export {
 		## The type of data that the indicator represents.
 		indicator_type:  Type          &log &optional;
 
-		## If the indicator type was :bro:enum:`Intel::ADDR`, then this 
+		## If the indicator type was :bro:enum:`Intel::ADDR`, then this
 		## field will be present.
 		host:            addr          &optional;
 
 		## Where the data was discovered.
 		where:           Where         &log;
-		
+
 		## The name of the node where the match was discovered.
 		node:            string        &optional &log;
 
-		## If the data was discovered within a connection, the 
+		## If the data was discovered within a connection, the
 		## connection record should go here to give context to the data.
 		conn:            connection    &optional;
 
+		## If the data was discovered within a connection, the
+		## connection uid should go here to give context to the data.
+		## If the *conn* field is provided, this will be automatically
+		## filled out.
+		uid:             string        &optional;
+
+
 		## If the data was discovered within a file, the file record
 		## should go here to provide context to the data.
 		f:               fa_file       &optional;
+
+		## If the data was discovered within a file, the file uid should
+		## go here to provide context to the data. If the *f* field is
+		## provided, this will be automatically filled out.
+		fuid:            string        &optional;
 	};
 
 	## Record used for the logging framework representing a positive
@@ -112,7 +124,8 @@ export {
 		## If a file was associated with this intelligence hit,
 		## this is the uid for the file.
 		fuid:           string   &log &optional;
-		## A mime type if the intelligence hit is related to a file.  
+
+		## A mime type if the intelligence hit is related to a file.
 		## If the $f field is provided this will be automatically filled
 		## out.
 		file_mime_type: string   &log &optional;
@@ -283,14 +296,14 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 
 	if ( s?$f )
 		{
+		s$fuid = s$f$id;
+
 		if ( s$f?$conns && |s$f$conns| == 1 )
 			{
 			for ( cid in s$f$conns )
 				s$conn = s$f$conns[cid];
 			}
 
-		if ( ! info?$fuid )
-			info$fuid = s$f$id;
 
 		if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
 			info$file_mime_type = s$f$info$mime_type;
@@ -299,12 +312,18 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 			info$file_desc = Files::describe(s$f);
 		}
 
+	if ( s?$fuid )
+		info$fuid = s$fuid;
+
 	if ( s?$conn )
 		{
-		info$uid = s$conn$uid;
+		s$uid = s$conn$uid;
 		info$id  = s$conn$id;
 		}
 
+	if ( s?$uid )
+		info$uid = s$uid;
+
 	for ( item in items )
 		add info$sources[item$meta$source];
 
diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.bro
index 7bfbef4e9b..89aebc1891 100644
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@@ -20,6 +20,7 @@ event ssl_established(c: connection)
 	if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
 		Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
 			$indicator_type=Intel::DOMAIN,
+			$fuid=c$ssl$cert_chain_fuids[0],
 			$conn=c,
 			$where=X509::IN_CERT]);
 	}
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 4b5786e00d..0cac337cf3 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-04-11-13-48-49
+#open	2016-04-25-23-53-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	application/pkix-cert	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2016-04-11-13-48-49
+#close	2016-04-25-23-53-37
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-04-11-13-48-49
+#open	2016-04-25-23-53-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1170717505.735416	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	FeCwNK3rzqPnZ7eBQ5	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717508.883051	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	FjkLnG4s34DVZlaBNc	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717511.909717	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	source1
-1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2016-04-11-13-48-49
+1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	FQXAWgI2FB5STbrff	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
+#close	2016-04-25-23-53-38

From 25f8993b57138b03dd2d0d665bbf5ba9b37b0f7f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 26 Apr 2016 11:15:41 -0700
Subject: [PATCH 06/17] IMAP: documentation and test updates

---
 src/analyzer/protocol/imap/IMAP.cc            |  1 -
 src/analyzer/protocol/imap/Plugin.cc          |  6 +----
 src/analyzer/protocol/imap/events.bif         |  9 +++----
 .../Baseline/core.print-bpf-filters/output2   |  9 ++++---
 .../canonified_loaded_scripts.log             |  5 ++--
 .../canonified_loaded_scripts.log             |  7 ++++--
 testing/btest/Baseline/plugins.hooks/output   | 25 ++++++++++++++-----
 7 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
index ad38d598ac..ea09a66717 100644
--- a/src/analyzer/protocol/imap/IMAP.cc
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -77,7 +77,6 @@ void IMAP_Analyzer::StartTLS()
 	// StartTLS was called. This means we saw a client starttls followed
 	// by a server proceed. From here on, everything should be a binary
 	// TLS datastream.
-
 	tls_active = true;
 
 	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
index 8660879bc3..63358f1aeb 100644
--- a/src/analyzer/protocol/imap/Plugin.cc
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -1,8 +1,5 @@
 // See the file  in the main distribution directory for copyright.
-
-
 #include "plugin/Plugin.h"
-
 #include "IMAP.h"
 
 namespace plugin {
@@ -14,10 +11,9 @@ public:
 		{
 		AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
 
-
 		plugin::Configuration config;
 		config.name = "Bro::IMAP";
-		config.description = "IMAP analyzer StartTLS only";
+		config.description = "IMAP analyzer (StartTLS only)";
 		return config;
 		}
 } plugin;
diff --git a/src/analyzer/protocol/imap/events.bif b/src/analyzer/protocol/imap/events.bif
index ba83791b13..8d70dda26f 100644
--- a/src/analyzer/protocol/imap/events.bif
+++ b/src/analyzer/protocol/imap/events.bif
@@ -1,14 +1,13 @@
-## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
-## of that as it can. This event provides access to the initial information
-## sent by the client.
+## Generated when a server sends a capability list to the client,
+## after being queried using the CAPABILITY command.
 ##
 ## c: The connection.
 ##
 ## capabilities: The list of IMAP capabilities as sent by the server.
 event imap_capabilities%(c: connection, capabilities: string_vec%);
 
-## Generated when a IMAP connection goes encrypted
+## Generated when a IMAP connection goes encrypted after a successful
+## StartTLS exchange between the client and the server.
 ##
 ## c: The connection.
 event imap_starttls%(c: connection%);
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index ac140925fc..d0f448441b 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,5 +1,6 @@
 2 1080
 1 137
+1 143
 1 1434
 1 161
 1 162
@@ -47,8 +48,8 @@
 1 992
 1 993
 1 995
-54 and
-53 or
-54 port
-36 tcp
+55 and
+54 or
+55 port
+37 tcp
 18 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index b5107374d1..0427e043e1 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-22-23-21-01
+#open	2016-04-26-18-11-39
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -76,6 +76,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -131,4 +132,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-04-22-23-21-01
+#close	2016-04-26-18-11-39
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index c2db0ad12e..806f1c6b9b 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-22-23-21-18
+#open	2016-04-26-18-11-49
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -76,6 +76,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -252,6 +253,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/http/entities.bro
     scripts/base/protocols/http/utils.bro
     scripts/base/protocols/http/files.bro
+  scripts/base/protocols/imap/__load__.bro
+    scripts/base/protocols/imap/main.bro
   scripts/base/protocols/irc/__load__.bro
     scripts/base/protocols/irc/main.bro
     scripts/base/protocols/irc/dcc-send.bro
@@ -302,4 +305,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-04-22-23-21-18
+#close	2016-04-26-18-11-49
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index d4bd063e12..a30a37bf95 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -25,6 +25,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <no result>
@@ -83,6 +84,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <no result>
@@ -122,6 +124,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB, {88/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp})) -> <no result>
@@ -230,7 +233,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -351,7 +354,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -416,6 +419,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_IMAP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
@@ -587,6 +591,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/ftp) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/hash) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/http) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/imap) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/input) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/input.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/intel) -> -1
@@ -665,6 +670,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -723,6 +729,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -762,6 +769,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB, {88/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_KRB_TCP, {88/tcp}))
@@ -870,7 +878,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -991,7 +999,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1056,6 +1064,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_IMAP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
@@ -1227,6 +1236,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/ftp)
 0.000000   MetaHookPre   LoadFile(base<...>/hash)
 0.000000   MetaHookPre   LoadFile(base<...>/http)
+0.000000   MetaHookPre   LoadFile(base<...>/imap)
 0.000000   MetaHookPre   LoadFile(base<...>/input)
 0.000000   MetaHookPre   LoadFile(base<...>/input.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/intel)
@@ -1305,6 +1315,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1363,6 +1374,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1402,6 +1414,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {631<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6669<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, {88/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, {88/tcp})
@@ -1509,7 +1522,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1630,7 +1643,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()

From 59573bad33a68a363b9fefed306445d1edd3c750 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 26 Apr 2016 13:06:48 -0700
Subject: [PATCH 07/17] IMAP: add c++11 header file that gcc complains about.

---
 src/analyzer/protocol/imap/IMAP.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
index a1f59e5010..e71770d360 100644
--- a/src/analyzer/protocol/imap/IMAP.h
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -3,6 +3,8 @@
 #ifndef ANALYZER_PROTOCOL_IMAP_IMAP_H
 #define ANALYZER_PROTOCOL_IMAP_IMAP_H
 
+// for std::transform
+#include <algorithm>
 #include "analyzer/protocol/tcp/TCP.h"
 
 #include "imap_pac.h"

From f44bb4d9b887237cf7e417c47bd21ddf6a1c1d80 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Apr 2016 16:24:10 -0500
Subject: [PATCH 08/17] Add script wrapper functions for broker BIFs

Also renamed the "print" function to "send_print" and the "event"
function to "send_event" because Bro shows a syntax error when a
Bro script function is named "event" or "print".
---
 scripts/base/frameworks/broker/main.bro       | 317 ++++++++++++++++
 scripts/base/frameworks/broker/store.bro      | 344 ++++++++++++++++++
 .../frameworks/netcontrol/plugins/acld.bro    |   4 +-
 .../frameworks/netcontrol/plugins/broker.bro  |   4 +-
 .../frameworks/openflow/plugins/broker.bro    |   4 +-
 src/broker/comm.bif                           |  74 +---
 src/broker/messaging.bif                      | 137 +------
 src/broker/store.bif                          | 202 +---------
 .../canonified_loaded_scripts.log             |  10 +-
 .../canonified_loaded_scripts.log             |  10 +-
 testing/btest/Baseline/plugins.hooks/output   |  18 +-
 testing/btest/broker/remote_event.test        |   6 +-
 testing/btest/broker/remote_print.test        |   6 +-
 .../base/frameworks/netcontrol/acld-hook.bro  |   4 +-
 .../base/frameworks/netcontrol/acld.bro       |   4 +-
 .../base/frameworks/netcontrol/broker.bro     |   6 +-
 .../base/frameworks/openflow/broker-basic.bro |   4 +-
 17 files changed, 747 insertions(+), 407 deletions(-)

diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index d8b4a208a2..a0024055a7 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -1,5 +1,14 @@
 ##! Various data structure definitions for use with Bro's communication system.
 
+module Log;
+
+export {
+    type Log::ID: enum {
+        ## Dummy place-holder.
+        UNKNOWN
+    };
+}
+
 module Broker;
 
 export {
@@ -52,4 +61,312 @@ export {
 		key: Broker::Data;
 		val: Broker::Data;
 	};
+
+	## Enable use of communication.
+	##
+	## flags: used to tune the local Broker endpoint behavior.
+	##
+	## Returns: true if communication is successfully initialized.
+	global enable: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
+	##
+	## flags: the new endpoint behavior flags to use.
+	##
+	## Returns: true if flags were changed.
+	global set_endpoint_flags: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Allow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to allow messages to be published under.
+	##
+	## Returns: true if successful.
+	global publish_topic: function(topic: string): bool;
+
+	## Disallow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to disallow messages to be published under.
+	##
+	## Returns: true if successful.
+	global unpublish_topic: function(topic: string): bool;
+
+	## Listen for remote connections.
+	##
+	## p: the TCP port to listen on.
+	##
+	## a: an address string on which to accept connections, e.g.
+	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+	##
+	## reuse: equivalent to behavior of SO_REUSEADDR.
+	##
+	## Returns: true if the local endpoint is now listening for connections.
+	##
+	## .. bro:see:: Broker::incoming_connection_established
+	global listen: function(p: port, a: string &default = "", reuse: bool &default = T): bool;
+
+	## Initiate a remote connection.
+	##
+	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
+	##
+	## p: the TCP port on which the remote side is listening.
+	##
+	## retry: an interval at which to retry establishing the
+	##        connection with the remote peer if it cannot be made initially, or
+	##        if it ever becomes disconnected.
+	##
+	## Returns: true if it's possible to try connecting with the peer and
+	##          it's a new peer.  The actual connection may not be established
+	##          until a later point in time.
+	##
+	## .. bro:see:: Broker::outgoing_connection_established
+	global connect: function(a: string, p: port, retry: interval): bool;
+
+	## Remove a remote connection.
+	##
+	## a: the address used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## p: the port used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## Returns: true if the arguments match a previously successful call to
+	##          :bro:see:`Broker::connect`.
+	global disconnect: function(a: string, p: port): bool;
+
+	## Print a simple message to any interested peers.  The receiver can use
+	## :bro:see:`Broker::print_handler` to handle messages.
+	##
+	## topic: a topic associated with the printed message.
+	##
+	## msg: the print message to send to peers.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_print: function(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool;
+
+	## Register interest in all peer print messages that use a certain topic
+	## prefix. Use :bro:see:`Broker::print_handler` to handle received
+	## messages.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new print subscription and it is now registered.
+	global subscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer print messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_prints`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Send an event to any interested peers.
+	##
+	## topic: a topic associated with the event message.
+	##
+	## args: event arguments as made by :bro:see:`Broker::event_args`.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_event: function(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool;
+
+	## Automatically send an event to any interested peers whenever it is
+	## locally dispatched (e.g. using "event my_event(...);" in a script).
+	##
+	## topic: a topic string associated with the event message.
+	##        Peers advertise interest by registering a subscription to some
+	##        prefix of this topic name.
+	##
+	## ev: a Bro event value.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if automatic event sending is now enabled.
+	global auto_event: function(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool;
+
+	## Stop automatically sending an event to peers upon local dispatch.
+	##
+	## topic: a topic originally given to :bro:see:`Broker::auto_event`.
+	##
+	## ev: an event originally given to :bro:see:`Broker::auto_event`.
+	##
+	## Returns: true if automatic events will not occur for the topic/event
+	##          pair.
+	global auto_event_stop: function(topic: string, ev: any): bool;
+
+	## Register interest in all peer event messages that use a certain topic
+	## prefix.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new event subscription and it is now registered.
+	global subscribe_to_events: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer event messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_events`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_events: function(topic_prefix: string): bool;
+
+	## Enable remote logs for a given log stream.
+	##
+	## id: the log stream to enable remote logs for.
+	##
+	## flags: tune the behavior of how log entry messages are sent.
+	##
+	## Returns: true if remote logs are enabled for the stream.
+	global enable_remote_logs: function(id: Log::ID, flags: SendFlags &default = SendFlags()): bool;
+
+	## Disable remote logs for a given log stream.
+	##
+	## id: the log stream to disable remote logs for.
+	##
+	## Returns: true if remote logs are disabled for the stream.
+	global disable_remote_logs: function(id: Log::ID): bool;
+
+	## Check if remote logs are enabled for a given log stream.
+	##
+	## id: the log stream to check.
+	##
+	## Returns: true if remote logs are enabled for the given stream.
+	global remote_logs_enabled: function(id: Log::ID): bool;
+
+	## Register interest in all peer log messages that use a certain topic
+	## prefix. Logs are implicitly sent with topic "bro/log/<stream-name>" and
+	## the receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new log subscription and it is now registered.
+	global subscribe_to_logs: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer log messages that use a topic prefix.
+	## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
+	## receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_logs`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_logs: function(topic_prefix: string): bool;
+
 }
+
+@load base/bif/comm.bif
+@load base/bif/messaging.bif
+
+module Broker;
+
+function enable(flags: EndpointFlags &default = EndpointFlags()) : bool
+    {
+    return __enable(flags);
+    }
+
+function set_endpoint_flags(flags: EndpointFlags &default = EndpointFlags()): bool
+    {
+    return __set_endpoint_flags(flags);
+    }
+
+function publish_topic(topic: string): bool
+    {
+    return __publish_topic(topic);
+    }
+
+function unpublish_topic(topic: string): bool
+    {
+    return __unpublish_topic(topic);
+    }
+
+function listen(p: port, a: string &default = "", reuse: bool &default = T): bool
+    {
+    return __listen(p, a, reuse);
+    }
+
+function connect(a: string, p: port, retry: interval): bool
+    {
+    return __connect(a, p, retry);
+    }
+
+function disconnect(a: string, p: port): bool
+    {
+    return __disconnect(a, p);
+    }
+
+function send_print(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __send_print(topic, msg, flags);
+    }
+
+function subscribe_to_prints(topic_prefix: string): bool
+    {
+    return __subscribe_to_prints(topic_prefix);
+    }
+
+function unsubscribe_to_prints(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_prints(topic_prefix);
+    }
+
+function send_event(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __event(topic, args, flags);
+    }
+
+function auto_event(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __auto_event(topic, ev, flags);
+    }
+
+function auto_event_stop(topic: string, ev: any): bool
+    {
+    return __auto_event_stop(topic, ev);
+    }
+
+function subscribe_to_events(topic_prefix: string): bool
+    {
+    return __subscribe_to_events(topic_prefix);
+    }
+
+function unsubscribe_to_events(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_events(topic_prefix);
+    }
+
+function enable_remote_logs(id: Log::ID, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __enable_remote_logs(id, flags);
+    }
+
+function disable_remote_logs(id: Log::ID): bool
+    {
+    return __disable_remote_logs(id);
+    }
+
+function remote_logs_enabled(id: Log::ID): bool
+    {
+    return __remote_logs_enabled(id);
+    }
+
+function subscribe_to_logs(topic_prefix: string): bool
+    {
+    return __subscribe_to_logs(topic_prefix);
+    }
+
+function unsubscribe_to_logs(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_logs(topic_prefix);
+    }
+
diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
index e6468f2b2c..36565d72aa 100644
--- a/scripts/base/frameworks/broker/store.bro
+++ b/scripts/base/frameworks/broker/store.bro
@@ -31,6 +31,13 @@ export {
 		result: Broker::Data;
 	};
 
+	## Enumerates the possible storage backends.
+	type BackendType: enum {
+		MEMORY,
+		SQLITE,
+		ROCKSDB,
+	};
+
 	## Options to tune the SQLite storage backend.
 	type SQLiteOptions: record {
 		## File system path of the database.
@@ -48,4 +55,341 @@ export {
 		sqlite: SQLiteOptions &default = SQLiteOptions();
 		rocksdb: RocksDBOptions &default = RocksDBOptions();
 	};
+
+	## Create a master data store which contains key-value pairs.
+	##
+	## id: a unique name for the data store.
+	##
+	## b: the storage backend to use.
+	##
+	## options: tunes how some storage backends operate.
+	##
+	## Returns: a handle to the data store.
+	global create_master: function(id: string, b: BackendType &default = MEMORY,
+	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle;
+
+	## Create a clone of a master data store which may live with a remote peer.
+	## A clone automatically synchronizes to the master by automatically
+	## receiving modifications and applying them locally.  Direct modifications
+	## are not possible, they must be sent through the master store, which then
+	## automatically broadcasts the changes out to clones.  But queries may be
+	## made directly against the local cloned copy, which may be resolved
+	## quicker than reaching out to a remote master store.
+	##
+	## id: the unique name which identifies the master data store.
+	##
+	## b: the storage backend to use.
+	##
+	## options: tunes how some storage backends operate.
+	##
+	## resync: the interval at which to re-attempt synchronizing with the master
+	##         store should the connection be lost.  If the clone has not yet
+	##         synchronized for the first time, updates and queries queue up
+	##         until the synchronization completes.  After, if the connection
+	##         to the master store is lost, queries continue to use the clone's
+	##         version, but updates will be lost until the master is once again
+	##         available.
+	##
+	## Returns: a handle to the data store.
+	global create_clone: function(id: string, b: BackendType &default = MEMORY,
+	                              options: BackendOptions &default = BackendOptions(),
+	                              resync: interval &default = 1sec): opaque of Broker::Handle;
+
+	## Create a frontend interface to an existing master data store that allows
+	## querying and updating its contents.
+	##
+	## id: the unique name which identifies the master data store.
+	##
+	## Returns: a handle to the data store.
+	global create_frontend: function(id: string): opaque of Broker::Handle;
+
+	## Close a data store.
+	##
+	## h: a data store handle.
+	##
+	## Returns: true if store was valid and is now closed.  The handle can no
+	##          longer be used for data store operations.
+	global close_by_handle: function(h: opaque of Broker::Handle): bool;
+
+	###########################
+	# non-blocking update API #
+	###########################
+
+	## Insert a key-value pair in to the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to insert.
+	##
+	## v: the value to insert.
+	##
+	## e: the expiration time of the key-value pair.
+	##
+	## Returns: false if the store handle was not valid.
+	global insert: function(h: opaque of Broker::Handle,
+	                        k: Broker::Data, v: Broker::Data,
+	                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool;
+
+	## Remove a key-value pair from the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to remove.
+	##
+	## Returns: false if the store handle was not valid.
+	global erase: function(h: opaque of Broker::Handle, k: Broker::Data): bool;
+
+	## Remove all key-value pairs from the store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## Returns: false if the store handle was not valid.
+	global clear: function(h: opaque of Broker::Handle): bool;
+
+	## Increment an integer value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## by: the amount to increment the value by.  A non-existent key will first
+	##     create it with an implicit value of zero before incrementing.
+	##
+	## Returns: false if the store handle was not valid.
+	global increment: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data, by: int &default = +1): bool;
+
+	## Decrement an integer value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## by: the amount to decrement the value by.  A non-existent key will first
+	##     create it with an implicit value of zero before decrementing.
+	##
+	## Returns: false if the store handle was not valid.
+	global decrement: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data, by: int &default = +1): bool;
+
+	## Add an element to a set value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## element: the element to add to the set.  A non-existent key will first
+	##          create it with an implicit empty set value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global add_to_set: function(h: opaque of Broker::Handle,
+	                            k: Broker::Data, element: Broker::Data): bool;
+
+	## Remove an element from a set value in a data store.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## element: the element to remove from the set.  A non-existent key will
+	##          implicitly create an empty set value associated with the key.
+	##
+	## Returns: false if the store handle was not valid.
+	global remove_from_set: function(h: opaque of Broker::Handle,
+	                                 k: Broker::Data, element: Broker::Data): bool;
+
+	## Add a new item to the head of a vector value in a data store.
+	##
+	## h: the handle of store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## items: the element to insert in to the vector.  A non-existent key will
+	##        first create an empty vector value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global push_left: function(h: opaque of Broker::Handle, k: Broker::Data,
+	                           items: Broker::DataVector): bool;
+
+	## Add a new item to the tail of a vector value in a data store.
+	##
+	## h: the handle of store to modify.
+	##
+	## k: the key whose associated value is to be modified.
+	##
+	## items: the element to insert in to the vector.  A non-existent key will
+	##        first create an empty vector value before modifying.
+	##
+	## Returns: false if the store handle was not valid.
+	global push_right: function(h: opaque of Broker::Handle, k: Broker::Data,
+	                            items: Broker::DataVector): bool;
+
+	##########################
+	# non-blocking query API #
+	##########################
+
+	## Pop the head of a data store vector value.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key associated with the vector to modify.
+	##
+	## Returns: the result of the query.
+	global pop_left: function(h: opaque of Broker::Handle,
+	                          k: Broker::Data): QueryResult;
+
+	## Pop the tail of a data store vector value.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key associated with the vector to modify.
+	##
+	## Returns: the result of the query.
+	global pop_right: function(h: opaque of Broker::Handle,
+	                           k: Broker::Data): QueryResult;
+
+	## Lookup the value associated with a key in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: the result of the query.
+	global lookup: function(h: opaque of Broker::Handle,
+	                       k: Broker::Data): QueryResult;
+
+	## Check if a data store contains a given key.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to check for existence.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::BOOL`).
+	global exists: function(h: opaque of Broker::Handle,
+	                        k: Broker::Data): QueryResult;
+
+	## Retrieve all keys in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::VECTOR`).
+	global keys: function(h: opaque of Broker::Handle): QueryResult;
+
+	## Get the number of key-value pairs in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
+	global size: function(h: opaque of Broker::Handle): QueryResult;
+
 }
+
+@load base/bif/store.bif
+
+module Broker;
+
+function create_master(id: string, b: BackendType &default = MEMORY,
+                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle
+	{
+	return __create_master(id, b, options);
+	}
+
+function create_clone(id: string, b: BackendType &default = MEMORY,
+                      options: BackendOptions &default = BackendOptions(),
+                      resync: interval &default = 1sec): opaque of Broker::Handle
+	{
+	return __create_clone(id, b, options, resync);
+	}
+
+function create_frontend(id: string): opaque of Broker::Handle
+	{
+	return __create_frontend(id);
+	}
+
+function close_by_handle(h: opaque of Broker::Handle): bool
+	{
+	return __close_by_handle(h);
+	}
+
+function insert(h: opaque of Broker::Handle, k: Broker::Data, v: Broker::Data,
+                e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool
+	{
+	return __insert(h, k, v, e);
+	}
+
+function erase(h: opaque of Broker::Handle, k: Broker::Data): bool
+	{
+	return __erase(h, k);
+	}
+
+function clear(h: opaque of Broker::Handle): bool
+	{
+	return __clear(h);
+	}
+
+function increment(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1): bool
+	{
+	return __increment(h, k, by);
+	}
+
+function decrement(h: opaque of Broker::Handle,
+                           k: Broker::Data, by: int &default = +1): bool
+	{
+	return __decrement(h, k, by);
+	}
+
+function add_to_set(h: opaque of Broker::Handle,
+                            k: Broker::Data, element: Broker::Data): bool
+	{
+	return __add_to_set(h, k, element);
+	}
+
+function remove_from_set(h: opaque of Broker::Handle,
+                                 k: Broker::Data, element: Broker::Data): bool
+	{
+	return __remove_from_set(h, k, element);
+	}
+
+function push_left(h: opaque of Broker::Handle, k: Broker::Data,
+                           items: Broker::DataVector): bool
+	{
+	return __push_left(h, k, items);
+	}
+
+function push_right(h: opaque of Broker::Handle, k: Broker::Data,
+                            items: Broker::DataVector): bool
+	{
+	return __push_right(h, k, items);
+	}
+
+function pop_left(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __pop_left(h, k);
+	}
+
+function pop_right(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __pop_right(h, k);
+	}
+
+function lookup(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __lookup(h, k);
+	}
+
+function exists(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+	{
+	return __exists(h, k);
+	}
+
+function keys(h: opaque of Broker::Handle): QueryResult
+	{
+	return __keys(h);
+	}
+
+function size(h: opaque of Broker::Handle): QueryResult
+	{
+	return __size(h);
+	}
+
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
index 13802f2e21..ba50558d9a 100644
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -227,7 +227,7 @@ function acld_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ar$command == "" )
 		return F;
 
-	Broker::event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
 	return T;
 	}
 
@@ -242,7 +242,7 @@ function acld_remove_rule_fun(p: PluginState, r: Rule) : bool
 	else
 		return F;
 
-	Broker::event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
 	return T;
 	}
 
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
index 2af3724db7..82e1d20f07 100644
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -96,13 +96,13 @@ function broker_name(p: PluginState) : string
 
 function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	Broker::event(p$broker_topic, Broker::event_args(broker_add_rule, p$broker_id, r));
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 
 function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	Broker::event(p$broker_topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
 	return T;
 	}
 
diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro
index 93a627a8f4..ba15cc6ad1 100644
--- a/scripts/base/frameworks/openflow/plugins/broker.bro
+++ b/scripts/base/frameworks/openflow/plugins/broker.bro
@@ -47,14 +47,14 @@ function broker_describe(state: ControllerState): string
 
 function broker_flow_mod_fun(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
 	{
-	Broker::event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
 
 	return T;
 	}
 
 function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
 	{
-	Broker::event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
 
 	return T;
 	}
diff --git a/src/broker/comm.bif b/src/broker/comm.bif
index 4caa1f8859..3bc8fa7dff 100644
--- a/src/broker/comm.bif
+++ b/src/broker/comm.bif
@@ -9,46 +9,22 @@ module Broker;
 
 type Broker::EndpointFlags: record;
 
-## Enable use of communication.
-##
-## flags: used to tune the local Broker endpoint behavior.
-##
-## Returns: true if communication is successfully initialized.
-function Broker::enable%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function Broker::__enable%(flags: EndpointFlags%): bool
 	%{
 	return new Val(broker_mgr->Enable(flags), TYPE_BOOL);
 	%}
 
-## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
-##
-## flags: the new endpoint behavior flags to use.
-##
-## Returns: true if flags were changed.
-function Broker::set_endpoint_flags%(flags: EndpointFlags &default = EndpointFlags()%): bool
+function Broker::__set_endpoint_flags%(flags: EndpointFlags%): bool
 	%{
 	return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL);
 	%}
 
-## Allow sending messages to peers if associated with the given topic.
-## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to allow messages to be published under.
-##
-## Returns: true if successful.
-function Broker::publish_topic%(topic: string%): bool
+function Broker::__publish_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
 
-## Disallow sending messages to peers if associated with the given topic.
-## This has no effect if auto publication behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to disallow messages to be published under.
-##
-## Returns: true if successful.
-function Broker::unpublish_topic%(topic: string%): bool
+function Broker::__unpublish_topic%(topic: string%): bool
 	%{
 	return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
 	%}
@@ -124,20 +100,7 @@ event Broker::incoming_connection_established%(peer_name: string%);
 ## .. bro:see:: Broker::incoming_connection_established
 event Broker::incoming_connection_broken%(peer_name: string%);
 
-## Listen for remote connections.
-##
-## p: the TCP port to listen on.
-##
-## a: an address string on which to accept connections, e.g.
-##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
-##
-## reuse: equivalent to behavior of SO_REUSEADDR.
-##
-## Returns: true if the local endpoint is now listening for connections.
-##
-## .. bro:see:: Broker::incoming_connection_established
-function Broker::listen%(p: port, a: string &default = "",
-					   reuse: bool &default = T%): bool
+function Broker::__listen%(p: port, a: string, reuse: bool%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -150,22 +113,7 @@ function Broker::listen%(p: port, a: string &default = "",
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Initiate a remote connection.
-##
-## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
-##
-## p: the TCP port on which the remote side is listening.
-##
-## retry: an interval at which to retry establishing the
-##        connection with the remote peer if it cannot be made initially, or
-##        if it ever becomes disconnected.
-##
-## Returns: true if it's possible to try connecting with the peer and
-##          it's a new peer.  The actual connection may not be established
-##          until a later point in time.
-##
-## .. bro:see:: Broker::outgoing_connection_established
-function Broker::connect%(a: string, p: port, retry: interval%): bool
+function Broker::__connect%(a: string, p: port, retry: interval%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
@@ -178,15 +126,7 @@ function Broker::connect%(a: string, p: port, retry: interval%): bool
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Remove a remote connection.
-##
-## a: the address used in previous successful call to :bro:see:`Broker::connect`.
-##
-## p: the port used in previous successful call to :bro:see:`Broker::connect`.
-##
-## Returns: true if the arguments match a previously successful call to
-##          :bro:see:`Broker::connect`.
-function Broker::disconnect%(a: string, p: port%): bool
+function Broker::__disconnect%(a: string, p: port%): bool
 	%{
 	if ( ! p->IsTCP() )
 		{
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index 3c3240ff16..dadece9681 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -13,202 +13,99 @@ type Broker::SendFlags: record;
 type Broker::EventArgs: record;
 
 ## Used to handle remote print messages from peers that call
-## :bro:see:`Broker::print`.
+## :bro:see:`Broker::send_print`.
 event Broker::print_handler%(msg: string%);
 
-## Print a simple message to any interested peers.  The receiver can use
-## :bro:see:`Broker::print_handler` to handle messages.
-##
-## topic: a topic associated with the printed message.
-##
-## msg: the print message to send to peers.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if the message is sent.
-function Broker::print%(topic: string, msg: string,
-                      flags: SendFlags &default = SendFlags()%): bool
+function Broker::__send_print%(topic: string, msg: string, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer print messages that use a certain topic prefix.
-## Use :bro:see:`Broker::print_handler` to handle received messages.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new print subscription and it is now registered.
-function Broker::subscribe_to_prints%(topic_prefix: string%): bool
+function Broker::__subscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer print messages that use a topic prefix.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Broker::subscribe_to_prints`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function Broker::unsubscribe_to_prints%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_prints%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Create a data structure that may be used to send a remote event via
-## :bro:see:`Broker::event`.
+## :bro:see:`Broker::send_event`.
 ##
 ## args: an event, followed by a list of argument values that may be used
 ##       to call it.
 ##
-## Returns: opaque communication data that may be used to send a remote event.
+## Returns: opaque communication data that may be used to send a remote
+##          event.
 function Broker::event_args%(...%): Broker::EventArgs
 	%{
 	auto rval = broker_mgr->MakeEventArgs(@ARGS@);
 	return rval;
 	%}
 
-## Send an event to any interested peers.
-##
-## topic: a topic associated with the event message.
-##
-## args: event arguments as made by :bro:see:`Broker::event_args`.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if the message is sent.
-function Broker::event%(topic: string, args: Broker::EventArgs,
-                      flags: SendFlags &default = SendFlags()%): bool
+function Broker::__event%(topic: string, args: Broker::EventArgs, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(),
 	                            flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Automatically send an event to any interested peers whenever it is
-## locally dispatched (e.g. using "event my_event(...);" in a script).
-##
-## topic: a topic string associated with the event message.
-##        Peers advertise interest by registering a subscription to some prefix
-##        of this topic name.
-##
-## ev: a Bro event value.
-##
-## flags: tune the behavior of how the message is sent.
-##
-## Returns: true if automatic event sending is now enabled.
-function Broker::auto_event%(topic: string, ev: any,
-                           flags: SendFlags &default = SendFlags()%): bool
+function Broker::__auto_event%(topic: string, ev: any, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Stop automatically sending an event to peers upon local dispatch.
-##
-## topic: a topic originally given to :bro:see:`Broker::auto_event`.
-##
-## ev: an event originally given to :bro:see:`Broker::auto_event`.
-##
-## Returns: true if automatic events will not occur for the topic/event pair.
-function Broker::auto_event_stop%(topic: string, ev: any%): bool
+function Broker::__auto_event_stop%(topic: string, ev: any%): bool
 	%{
 	auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer event messages that use a certain topic prefix.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new event subscription and it is now registered.
-function Broker::subscribe_to_events%(topic_prefix: string%): bool
+function Broker::__subscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer event messages that use a topic prefix.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Broker::subscribe_to_events`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function Broker::unsubscribe_to_events%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_events%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Enable remote logs for a given log stream.
-##
-## id: the log stream to enable remote logs for.
-##
-## flags: tune the behavior of how log entry messages are sent.
-##
-## Returns: true if remote logs are enabled for the stream.
-function
-Broker::enable_remote_logs%(id: Log::ID,
-                          flags: SendFlags &default = SendFlags()%): bool
+function Broker::__enable_remote_logs%(id: Log::ID, flags: Broker::SendFlags%): bool
 	%{
 	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
 	                                   bro_broker::Manager::send_flags_to_int(flags));
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Disable remote logs for a given log stream.
-##
-## id: the log stream to disable remote logs for.
-##
-## Returns: true if remote logs are disabled for the stream.
-function Broker::disable_remote_logs%(id: Log::ID%): bool
+function Broker::__disable_remote_logs%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Check if remote logs are enabled for a given log stream.
-##
-## id: the log stream to check.
-##
-## Returns: true if remote logs are enabled for the given stream.
-function Broker::remote_logs_enabled%(id: Log::ID%): bool
+function Broker::__remote_logs_enabled%(id: Log::ID%): bool
 	%{
 	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Register interest in all peer log messages that use a certain topic prefix.
-## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-## receiving side processes them through the logging framework as usual.
-##
-## topic_prefix: a prefix to match against remote message topics.
-##               e.g. an empty prefix matches everything and "a" matches
-##               "alice" and "amy" but not "bob".
-##
-## Returns: true if it's a new log subscription and it is now registered.
-function Broker::subscribe_to_logs%(topic_prefix: string%): bool
+function Broker::__subscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-## Unregister interest in all peer log messages that use a topic prefix.
-## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-## receiving side processes them through the logging framework as usual.
-##
-## topic_prefix: a prefix previously supplied to a successful call to
-##               :bro:see:`Broker::subscribe_to_logs`.
-##
-## Returns: true if interest in the topic prefix is no longer advertised.
-function Broker::unsubscribe_to_logs%(topic_prefix: string%): bool
+function Broker::__unsubscribe_to_logs%(topic_prefix: string%): bool
 	%{
 	auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
diff --git a/src/broker/store.bif b/src/broker/store.bif
index 57bddd3da7..6d7ddea6af 100644
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@@ -23,16 +23,7 @@ enum BackendType %{
 	ROCKSDB,
 %}
 
-## Create a master data store which contains key-value pairs.
-##
-## id: a unique name for the data store.
-##
-## b: the storage backend to use.
-##
-## options: tunes how some storage backends operate.
-##
-## Returns: a handle to the data store.
-function Broker::create_master%(id: string, b: BackendType &default = MEMORY,
+function Broker::__create_master%(id: string, b: BackendType,
                                options: BackendOptions &default = BackendOptions()%): opaque of Broker::Handle
 	%{
 	auto id_str = id->CheckString();
@@ -53,29 +44,7 @@ function Broker::create_master%(id: string, b: BackendType &default = MEMORY,
 	return rval;
 	%}
 
-## Create a clone of a master data store which may live with a remote peer.
-## A clone automatically synchronizes to the master by automatically receiving
-## modifications and applying them locally.  Direct modifications are not
-## possible, they must be sent through the master store, which then
-## automatically broadcasts the changes out to clones.  But queries may be made
-## directly against the local cloned copy, which may be resolved quicker than
-## reaching out to a remote master store.
-##
-## id: the unique name which identifies the master data store.
-##
-## b: the storage backend to use.
-##
-## options: tunes how some storage backends operate.
-##
-## resync: the interval at which to re-attempt synchronizing with the master
-##         store should the connection be lost.  If the clone has not yet
-##         synchronized for the first time, updates and queries queue up until
-##         the synchronization completes.  After, if the connection to the
-##         master store is lost, queries continue to use the clone's version,
-##         but updates will be lost until the master is once again available.
-##
-## Returns: a handle to the data store.
-function Broker::create_clone%(id: string, b: BackendType &default = MEMORY,
+function Broker::__create_clone%(id: string, b: BackendType,
                               options: BackendOptions &default = BackendOptions(),
                               resync: interval &default = 1sec%): opaque of Broker::Handle
 	%{
@@ -98,13 +67,7 @@ function Broker::create_clone%(id: string, b: BackendType &default = MEMORY,
 	return rval;
 	%}
 
-## Create a frontend interface to an existing master data store that allows
-## querying and updating its contents.
-##
-## id: the unique name which identifies the master data store.
-##
-## Returns: a handle to the data store.
-function Broker::create_frontend%(id: string%): opaque of Broker::Handle
+function Broker::__create_frontend%(id: string%): opaque of Broker::Handle
 	%{
 	auto id_str = id->CheckString();
 	auto type = bro_broker::StoreType::FRONTEND;
@@ -122,13 +85,7 @@ function Broker::create_frontend%(id: string%): opaque of Broker::Handle
 	return rval;
 	%}
 
-## Close a data store.
-##
-## h: a data store handle.
-##
-## Returns: true if store was valid and is now closed.  The handle can no
-##          longer be used for data store operations.
-function Broker::close_by_handle%(h: opaque of Broker::Handle%): bool
+function Broker::__close_by_handle%(h: opaque of Broker::Handle%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -143,18 +100,7 @@ function Broker::close_by_handle%(h: opaque of Broker::Handle%): bool
 # non-blocking update API #
 ###########################
 
-## Insert a key-value pair in to the store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key to insert.
-##
-## v: the value to insert.
-##
-## e: the expiration time of the key-value pair.
-##
-## Returns: false if the store handle was not valid.
-function Broker::insert%(h: opaque of Broker::Handle,
+function Broker::__insert%(h: opaque of Broker::Handle,
                         k: Broker::Data, v: Broker::Data,
                         e: Broker::ExpiryTime &default = Broker::ExpiryTime()%): bool
 	%{
@@ -191,14 +137,7 @@ function Broker::insert%(h: opaque of Broker::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove a key-value pair from the store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key to remove.
-##
-## Returns: false if the store handle was not valid.
-function Broker::erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
+function Broker::__erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -210,12 +149,7 @@ function Broker::erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove all key-value pairs from the store.
-##
-## h: the handle of the store to modify.
-##
-## Returns: false if the store handle was not valid.
-function Broker::clear%(h: opaque of Broker::Handle%): bool
+function Broker::__clear%(h: opaque of Broker::Handle%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
 
@@ -226,17 +160,7 @@ function Broker::clear%(h: opaque of Broker::Handle%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Increment an integer value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## by: the amount to increment the value by.  A non-existent key will first
-##     create it with an implicit value of zero before incrementing.
-##
-## Returns: false if the store handle was not valid.
-function Broker::increment%(h: opaque of Broker::Handle,
+function Broker::__increment%(h: opaque of Broker::Handle,
                            k: Broker::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -249,17 +173,7 @@ function Broker::increment%(h: opaque of Broker::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Decrement an integer value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## by: the amount to decrement the value by.  A non-existent key will first
-##     create it with an implicit value of zero before decrementing.
-##
-## Returns: false if the store handle was not valid.
-function Broker::decrement%(h: opaque of Broker::Handle,
+function Broker::__decrement%(h: opaque of Broker::Handle,
                            k: Broker::Data, by: int &default = +1%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -272,17 +186,7 @@ function Broker::decrement%(h: opaque of Broker::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add an element to a set value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## element: the element to add to the set.  A non-existent key will first
-##          create it with an implicit empty set value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function Broker::add_to_set%(h: opaque of Broker::Handle,
+function Broker::__add_to_set%(h: opaque of Broker::Handle,
                             k: Broker::Data, element: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -296,17 +200,7 @@ function Broker::add_to_set%(h: opaque of Broker::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Remove an element from a set value in a data store.
-##
-## h: the handle of the store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## element: the element to remove from the set.  A non-existent key will
-##          implicitly create an empty set value associated with the key.
-##
-## Returns: false if the store handle was not valid.
-function Broker::remove_from_set%(h: opaque of Broker::Handle,
+function Broker::__remove_from_set%(h: opaque of Broker::Handle,
                                  k: Broker::Data, element: Broker::Data%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -320,17 +214,7 @@ function Broker::remove_from_set%(h: opaque of Broker::Handle,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add a new item to the head of a vector value in a data store.
-##
-## h: the handle of store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## items: the element to insert in to the vector.  A non-existent key will first
-##        create an empty vector value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function Broker::push_left%(h: opaque of Broker::Handle, k: Broker::Data,
+function Broker::__push_left%(h: opaque of Broker::Handle, k: Broker::Data,
                            items: Broker::DataVector%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -353,17 +237,7 @@ function Broker::push_left%(h: opaque of Broker::Handle, k: Broker::Data,
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Add a new item to the tail of a vector value in a data store.
-##
-## h: the handle of store to modify.
-##
-## k: the key whose associated value is to be modified.
-##
-## items: the element to insert in to the vector.  A non-existent key will first
-##        create an empty vector value before modifying.
-##
-## Returns: false if the store handle was not valid.
-function Broker::push_right%(h: opaque of Broker::Handle, k: Broker::Data,
+function Broker::__push_right%(h: opaque of Broker::Handle, k: Broker::Data,
                             items: Broker::DataVector%): bool
 	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
@@ -437,14 +311,7 @@ static bool prepare_for_query(Val* opaque, Frame* frame,
 
 %%}
 
-## Pop the head of a data store vector value.
-##
-## h: the handle of the store to query.
-##
-## k: the key associated with the vector to modify.
-##
-## Returns: the result of the query.
-function Broker::pop_left%(h: opaque of Broker::Handle,
+function Broker::__pop_left%(h: opaque of Broker::Handle,
                           k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
@@ -467,14 +334,7 @@ function Broker::pop_left%(h: opaque of Broker::Handle,
 	return 0;
 	%}
 
-## Pop the tail of a data store vector value.
-##
-## h: the handle of the store to query.
-##
-## k: the key associated with the vector to modify.
-##
-## Returns: the result of the query.
-function Broker::pop_right%(h: opaque of Broker::Handle,
+function Broker::__pop_right%(h: opaque of Broker::Handle,
                            k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
@@ -497,14 +357,7 @@ function Broker::pop_right%(h: opaque of Broker::Handle,
 	return 0;
 	%}
 
-## Lookup the value associated with a key in a data store.
-##
-## h: the handle of the store to query.
-##
-## k: the key to lookup.
-##
-## Returns: the result of the query.
-function Broker::lookup%(h: opaque of Broker::Handle,
+function Broker::__lookup%(h: opaque of Broker::Handle,
                        k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
@@ -527,14 +380,7 @@ function Broker::lookup%(h: opaque of Broker::Handle,
 	return 0;
 	%}
 
-## Check if a data store contains a given key.
-##
-## h: the handle of the store to query.
-##
-## k: the key to check for existence.
-##
-## Returns: the result of the query (uses :bro:see:`Broker::BOOL`).
-function Broker::exists%(h: opaque of Broker::Handle,
+function Broker::__exists%(h: opaque of Broker::Handle,
                         k: Broker::Data%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
@@ -557,12 +403,7 @@ function Broker::exists%(h: opaque of Broker::Handle,
 	return 0;
 	%}
 
-## Retrieve all keys in a data store.
-##
-## h: the handle of the store to query.
-##
-## Returns: the result of the query (uses :bro:see:`Broker::VECTOR`).
-function Broker::keys%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__keys%(h: opaque of Broker::Handle%): Broker::QueryResult
 	%{
 	double timeout;
 	bro_broker::StoreQueryCallback* cb;
@@ -575,12 +416,7 @@ function Broker::keys%(h: opaque of Broker::Handle%): Broker::QueryResult
 	return 0;
 	%}
 
-## Get the number of key-value pairs in a data store.
-##
-## h: the handle of the store to query.
-##
-## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
-function Broker::size%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__size%(h: opaque of Broker::Handle%): Broker::QueryResult
 	%{
 	if ( ! broker_mgr->Enabled() )
 		return bro_broker::query_result();
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index b5107374d1..7e55509a86 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-22-23-21-01
+#open	2016-04-26-21-21-19
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -17,7 +17,10 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/event.bif.bro
   scripts/base/frameworks/broker/__load__.bro
     scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
     scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -51,10 +54,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/comm.bif.bro
     build/scripts/base/bif/data.bif.bro
-    build/scripts/base/bif/messaging.bif.bro
-    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -131,4 +131,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-04-22-23-21-01
+#close	2016-04-26-21-21-19
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index c2db0ad12e..075a7c1389 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-22-23-21-18
+#open	2016-04-26-21-21-31
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -17,7 +17,10 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/event.bif.bro
   scripts/base/frameworks/broker/__load__.bro
     scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
     scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -51,10 +54,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/comm.bif.bro
     build/scripts/base/bif/data.bif.bro
-    build/scripts/base/bif/messaging.bif.bro
-    build/scripts/base/bif/store.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -302,4 +302,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-04-22-23-21-18
+#close	2016-04-26-21-21-31
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index d4bd063e12..a39e6d8dd8 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -230,7 +230,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -351,7 +351,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -566,6 +566,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/comm.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
@@ -596,6 +597,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/messaging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/mysql) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/netcontrol) -> -1
@@ -623,6 +625,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/store.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
@@ -870,7 +873,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -991,7 +994,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1206,6 +1209,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/broker)
 0.000000   MetaHookPre   LoadFile(base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(base<...>/comm.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/communication)
 0.000000   MetaHookPre   LoadFile(base<...>/conn)
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
@@ -1236,6 +1240,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/logging)
 0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/main)
+0.000000   MetaHookPre   LoadFile(base<...>/messaging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/modbus)
 0.000000   MetaHookPre   LoadFile(base<...>/mysql)
 0.000000   MetaHookPre   LoadFile(base<...>/netcontrol)
@@ -1263,6 +1268,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/software)
 0.000000   MetaHookPre   LoadFile(base<...>/ssh)
 0.000000   MetaHookPre   LoadFile(base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(base<...>/store.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/strings)
 0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
@@ -1509,7 +1515,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1630,7 +1636,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
diff --git a/testing/btest/broker/remote_event.test b/testing/btest/broker/remote_event.test
index e18fc3715f..bd3c087d9a 100644
--- a/testing/btest/broker/remote_event.test
+++ b/testing/btest/broker/remote_event.test
@@ -40,7 +40,7 @@ event event_handler(msg: string, n: count)
 
 	event auto_event_handler(msg, n);
 	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::event("bro/event/my_topic", args);
+	Broker::send_event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -68,7 +68,7 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established", peer_address, peer_port;
 	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::event("bro/event/hi", args);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
@@ -82,7 +82,7 @@ event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
 	local args = Broker::event_args(event_handler, "ping", event_count);
-    Broker::event("bro/event/hi", args);
+    Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/broker/remote_print.test b/testing/btest/broker/remote_print.test
index a3c06599ae..9cfcc44ca9 100644
--- a/testing/btest/broker/remote_print.test
+++ b/testing/btest/broker/remote_print.test
@@ -35,7 +35,7 @@ event Broker::print_handler(msg: string)
 		return;
 		}
 
-	Broker::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -62,7 +62,7 @@ event Broker::outgoing_connection_established(peer_address: string,
                                             peer_name: string)
 	{
 	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -76,7 +76,7 @@ event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	Broker::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
index 31d5f4df96..779799ab4f 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
@@ -105,14 +105,14 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
 
 	if ( r$cid == 4 )
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index 89743296b1..83a9cfc1af 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -98,14 +98,14 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
 
 	if ( r$cid == 4 )
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
index 652f89f4a5..4dbf3a09d2 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
@@ -89,15 +89,15 @@ event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
 	{
 	print "add_rule", id, r$entity, r$ty;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
 	}
 
 event NetControl::broker_remove_rule(id: count, r: NetControl::Rule)
 	{
 	print "remove_rule", id, r$entity, r$ty;
 
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
-	Broker::event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
+	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
 
 	if ( r$cid == 3 )
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
index ed1afb4c3e..014f07390b 100644
--- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
@@ -104,8 +104,8 @@ function got_message()
 event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
 	{
 	print "got flow_mod", dpid, match, flow_mod;
-	Broker::event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
-	Broker::event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
+	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
+	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
 	got_message();
 	}
 

From 4df948f3c8ec7c6967ef3d5a8621107d77543f8e Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Apr 2016 22:01:09 -0500
Subject: [PATCH 09/17] Add script wrapper functions for broker data BIFs

---
 scripts/base/frameworks/broker/store.bro      | 702 ++++++++++++++++++
 src/broker/data.bif                           | 434 ++---------
 .../canonified_loaded_scripts.log             |   6 +-
 .../canonified_loaded_scripts.log             |   6 +-
 testing/btest/Baseline/plugins.hooks/output   |  14 +-
 5 files changed, 769 insertions(+), 393 deletions(-)

diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
index 36565d72aa..f93b701d1c 100644
--- a/scripts/base/frameworks/broker/store.bro
+++ b/scripts/base/frameworks/broker/store.bro
@@ -1,6 +1,7 @@
 ##! Various data structure definitions for use with Bro's communication system.
 
 @load ./main
+@load base/bif/data.bif
 
 module Broker;
 
@@ -282,6 +283,443 @@ export {
 	## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
 	global size: function(h: opaque of Broker::Handle): QueryResult;
 
+	##########################
+	# data API               #
+	##########################
+
+	## Convert any Bro value to communication data.
+	##
+	## d: any Bro value to attempt to convert (not all types are supported).
+	##
+	## Returns: the converted communication data.  The returned record's optional
+	##          field will not be set if the conversion was not possible (this can
+	##          happen if the Bro data type does not support being converted to
+	##          communication data).
+	global data: function(d: any): Broker::Data;
+
+	## Retrieve the type of data associated with communication data.
+	##
+	## d: the communication data.
+	##
+	## Returns: the data type associated with the communication data.
+	global data_type: function(d: Broker::Data): Broker::DataType;
+
+	## Convert communication data with a type of :bro:see:`Broker::BOOL` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_bool: function(d: Broker::Data): bool;
+
+	## Convert communication data with a type of :bro:see:`Broker::INT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_int: function(d: Broker::Data): int;
+
+	## Convert communication data with a type of :bro:see:`Broker::COUNT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_count: function(d: Broker::Data): count;
+
+	## Convert communication data with a type of :bro:see:`Broker::DOUBLE` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_double: function(d: Broker::Data): double;
+
+	## Convert communication data with a type of :bro:see:`Broker::STRING` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_string: function(d: Broker::Data): string;
+
+	## Convert communication data with a type of :bro:see:`Broker::ADDR` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_addr: function(d: Broker::Data): addr;
+
+	## Convert communication data with a type of :bro:see:`Broker::SUBNET` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_subnet: function(d: Broker::Data): subnet;
+
+	## Convert communication data with a type of :bro:see:`Broker::PORT` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_port: function(d: Broker::Data): port;
+
+	## Convert communication data with a type of :bro:see:`Broker::TIME` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_time: function(d: Broker::Data): time;
+
+	## Convert communication data with a type of :bro:see:`Broker::INTERVAL` to
+	## an actual Bro value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the value retrieved from the communication data.
+	global refine_to_interval: function(d: Broker::Data): interval;
+
+	## Convert communication data with a type of :bro:see:`Broker::ENUM` to
+	## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
+	## the name to the actual enum value.
+	##
+	## d: the communication data to convert.
+	##
+	## Returns: the enum name retrieved from the communication data.
+	global refine_to_enum_name: function(d: Broker::Data): string;
+
+	## Create communication data of type "set".
+	global set_create: function(): Broker::Data;
+
+	## Remove all elements within a set.
+	##
+	## s: the set to clear.
+	##
+	## Returns: always true.
+	global set_clear: function(s: Broker::Data): bool;
+
+	## Get the number of elements within a set.
+	##
+	## s: the set to query.
+	##
+	## Returns: the number of elements in the set.
+	global set_size: function(s: Broker::Data): count;
+
+	## Check if a set contains a particular element.
+	##
+	## s: the set to query.
+	##
+	## key: the element to check for existence.
+	##
+	## Returns: true if the key exists in the set.
+	global set_contains: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Insert an element into a set.
+	##
+	## s: the set to modify.
+	##
+	## key: the element to insert.
+	##
+	## Returns: true if the key was inserted, or false if it already existed.
+	global set_insert: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Remove an element from a set.
+	##
+	## s: the set to modify.
+	##
+	## key: the element to remove.
+	##
+	## Returns: true if the element existed in the set and is now removed.
+	global set_remove: function(s: Broker::Data, key: Broker::Data): bool;
+
+	## Create an iterator for a set.  Note that this makes a copy of the set
+	## internally to ensure the iterator is always valid.
+	##
+	## s: the set to iterate over.
+	##
+	## Returns: an iterator.
+	global set_iterator: function(s: Broker::Data): opaque of Broker::SetIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global set_iterator_last: function(it: opaque of Broker::SetIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global set_iterator_next: function(it: opaque of Broker::SetIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global set_iterator_value: function(it: opaque of Broker::SetIterator): Broker::Data;
+
+	## Create communication data of type "table".
+	global table_create: function(): Broker::Data;
+
+	## Remove all elements within a table.
+	##
+	## t: the table to clear.
+	##
+	## Returns: always true.
+	global table_clear: function(t: Broker::Data): bool;
+
+	## Get the number of elements within a table.
+	##
+	## t: the table to query.
+	##
+	## Returns: the number of elements in the table.
+	global table_size: function(t: Broker::Data): count;
+
+	## Check if a table contains a particular key.
+	##
+	## t: the table to query.
+	##
+	## key: the key to check for existence.
+	##
+	## Returns: true if the key exists in the table.
+	global table_contains: function(t: Broker::Data, key: Broker::Data): bool;
+
+	## Insert a key-value pair into a table.
+	##
+	## t: the table to modify.
+	##
+	## key: the key at which to insert the value.
+	##
+	## val: the value to insert.
+	##
+	## Returns: true if the key-value pair was inserted, or false if the key
+	##          already existed in the table.
+	global table_insert: function(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data;
+
+	## Remove a key-value pair from a table.
+	##
+	## t: the table to modify.
+	##
+	## key: the key to remove from the table.
+	##
+	## Returns: the value associated with the key.  If the key did not exist, then
+	##          the optional field of the returned record is not set.
+	global table_remove: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+
+	## Retrieve a value from a table.
+	##
+	## t: the table to query.
+	##
+	## key: the key to lookup.
+	##
+	## Returns: the value associated with the key.  If the key did not exist, then
+	##          the optional field of the returned record is not set.
+	global table_lookup: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+
+	## Create an iterator for a table.  Note that this makes a copy of the table
+	## internally to ensure the iterator is always valid.
+	##
+	## t: the table to iterate over.
+	##
+	## Returns: an iterator.
+	global table_iterator: function(t: Broker::Data): opaque of Broker::TableIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global table_iterator_last: function(it: opaque of Broker::TableIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global table_iterator_next: function(it: opaque of Broker::TableIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global table_iterator_value: function(it: opaque of Broker::TableIterator): Broker::TableItem;
+
+	## Create communication data of type "vector".
+	global vector_create: function(): Broker::Data;
+
+	## Remove all elements within a vector.
+	##
+	## v: the vector to clear.
+	##
+	## Returns: always true.
+	global vector_clear: function(v: Broker::Data): bool;
+
+	## Get the number of elements within a vector.
+	##
+	## v: the vector to query.
+	##
+	## Returns: the number of elements in the vector.
+	global vector_size: function(v: Broker::Data): count;
+
+	## Insert an element into a vector at a particular position, possibly displacing
+	## existing elements (insertion always grows the size of the vector by one).
+	##
+	## v: the vector to modify.
+	##
+	## d: the element to insert.
+	##
+	## idx: the index at which to insert the data.  If it is greater than the
+	##      current size of the vector, the element is inserted at the end.
+	##
+	## Returns: always true.
+	global vector_insert: function(v: Broker::Data, d: Broker::Data, idx: count): bool;
+
+	## Replace an element in a vector at a particular position.
+	##
+	## v: the vector to modify.
+	##
+	## d: the element to insert.
+	##
+	## idx: the index to replace.
+	##
+	## Returns: the value that was just evicted.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_replace: function(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data;
+
+	## Remove an element from a vector at a particular position.
+	##
+	## v: the vector to modify.
+	##
+	## idx: the index to remove.
+	##
+	## Returns: the value that was just evicted.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_remove: function(v: Broker::Data, idx: count): Broker::Data;
+
+	## Lookup an element in a vector at a particular position.
+	##
+	## v: the vector to query.
+	##
+	## idx: the index to lookup.
+	##
+	## Returns: the value at the index.  If the index was larger than any
+	##          valid index, the optional field of the returned record is not set.
+	global vector_lookup: function(v: Broker::Data, idx: count): Broker::Data;
+
+	## Create an iterator for a vector.  Note that this makes a copy of the vector
+	## internally to ensure the iterator is always valid.
+	##
+	## v: the vector to iterate over.
+	##
+	## Returns: an iterator.
+	global vector_iterator: function(v: Broker::Data): opaque of Broker::VectorIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global vector_iterator_last: function(it: opaque of Broker::VectorIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global vector_iterator_next: function(it: opaque of Broker::VectorIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global vector_iterator_value: function(it: opaque of Broker::VectorIterator): Broker::Data;
+
+	## Create communication data of type "record".
+	##
+	## sz: the number of fields in the record.
+	##
+	## Returns: record data, with all fields uninitialized.
+	global record_create: function(sz: count): Broker::Data;
+
+	## Get the number of fields within a record.
+	##
+	## r: the record to query.
+	##
+	## Returns: the number of fields in the record.
+	global record_size: function(r: Broker::Data): count;
+
+	## Replace a field in a record at a particular position.
+	##
+	## r: the record to modify.
+	##
+	## d: the new field value to assign.
+	##
+	## idx: the index to replace.
+	##
+	## Returns: false if the index was larger than any valid index, else true.
+	global record_assign: function(r: Broker::Data, d: Broker::Data, idx: count): bool;
+
+	## Lookup a field in a record at a particular position.
+	##
+	## r: the record to query.
+	##
+	## idx: the index to lookup.
+	##
+	## Returns: the value at the index.  The optional field of the returned record
+	##          may not be set if the field of the record has no value or if the
+	##          index was not valid.
+	global record_lookup: function(r: Broker::Data, idx: count): Broker::Data;
+
+	## Create an iterator for a record.  Note that this makes a copy of the record
+	## internally to ensure the iterator is always valid.
+	##
+	## r: the record to iterate over.
+	##
+	## Returns: an iterator.
+	global record_iterator: function(r: Broker::Data): opaque of Broker::RecordIterator;
+
+	## Check if there are no more elements to iterate over.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if there are no more elements to iterator over, i.e.
+	##          the iterator is one-past-the-final-element.
+	global record_iterator_last: function(it: opaque of Broker::RecordIterator): bool;
+
+	## Advance an iterator.
+	##
+	## it: an iterator.
+	##
+	## Returns: true if the iterator, after advancing, still references an element
+	##          in the collection.  False if the iterator, after advancing, is
+	##          one-past-the-final-element.
+	global record_iterator_next: function(it: opaque of Broker::RecordIterator): bool;
+
+	## Retrieve the data at an iterator's current position.
+	##
+	## it: an iterator.
+	##
+	## Returns: element in the collection that the iterator currently references.
+	global record_iterator_value: function(it: opaque of Broker::RecordIterator): Broker::Data;
 }
 
 @load base/bif/store.bif
@@ -393,3 +831,267 @@ function size(h: opaque of Broker::Handle): QueryResult
 	return __size(h);
 	}
 
+function data(d: any): Broker::Data
+	{
+	return __data(d);
+	}
+
+function data_type(d: Broker::Data): Broker::DataType
+	{
+	return __data_type(d);
+	}
+
+function refine_to_bool(d: Broker::Data): bool
+	{
+	return __refine_to_bool(d);
+	}
+
+function refine_to_int(d: Broker::Data): int
+	{
+	return __refine_to_int(d);
+	}
+
+function refine_to_count(d: Broker::Data): count
+	{
+	return __refine_to_count(d);
+	}
+
+function refine_to_double(d: Broker::Data): double
+	{
+	return __refine_to_double(d);
+	}
+
+function refine_to_string(d: Broker::Data): string
+	{
+	return __refine_to_string(d);
+	}
+
+function refine_to_addr(d: Broker::Data): addr
+	{
+	return __refine_to_addr(d);
+	}
+
+function refine_to_subnet(d: Broker::Data): subnet
+	{
+	return __refine_to_subnet(d);
+	}
+
+function refine_to_port(d: Broker::Data): port
+	{
+	return __refine_to_port(d);
+	}
+
+function refine_to_time(d: Broker::Data): time
+	{
+	return __refine_to_time(d);
+	}
+
+function refine_to_interval(d: Broker::Data): interval
+	{
+	return __refine_to_interval(d);
+	}
+
+function refine_to_enum_name(d: Broker::Data): string
+	{
+	return __refine_to_enum_name(d);
+	}
+
+function set_create(): Broker::Data
+	{
+	return __set_create();
+	}
+
+function set_clear(s: Broker::Data): bool
+	{
+	return __set_clear(s);
+	}
+
+function set_size(s: Broker::Data): count
+	{
+	return __set_size(s);
+	}
+
+function set_contains(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_contains(s, key);
+	}
+
+function set_insert(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_insert(s, key);
+	}
+
+function set_remove(s: Broker::Data, key: Broker::Data): bool
+	{
+	return __set_remove(s, key);
+	}
+
+function set_iterator(s: Broker::Data): opaque of Broker::SetIterator
+	{
+	return __set_iterator(s);
+	}
+
+function set_iterator_last(it: opaque of Broker::SetIterator): bool
+	{
+	return __set_iterator_last(it);
+	}
+
+function set_iterator_next(it: opaque of Broker::SetIterator): bool
+	{
+	return __set_iterator_next(it);
+	}
+
+function set_iterator_value(it: opaque of Broker::SetIterator): Broker::Data
+	{
+	return __set_iterator_value(it);
+	}
+
+function table_create(): Broker::Data
+	{
+	return __table_create();
+	}
+
+function table_clear(t: Broker::Data): bool
+	{
+	return __table_clear(t);
+	}
+
+function table_size(t: Broker::Data): count
+	{
+	return __table_size(t);
+	}
+
+function table_contains(t: Broker::Data, key: Broker::Data): bool
+	{
+	return __table_contains(t, key);
+	}
+
+function table_insert(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data
+	{
+	return __table_insert(t, key, val);
+	}
+
+function table_remove(t: Broker::Data, key: Broker::Data): Broker::Data
+	{
+	return __table_remove(t, key);
+	}
+
+function table_lookup(t: Broker::Data, key: Broker::Data): Broker::Data
+	{
+	return __table_lookup(t, key);
+	}
+
+function table_iterator(t: Broker::Data): opaque of Broker::TableIterator
+	{
+	return __table_iterator(t);
+	}
+
+function table_iterator_last(it: opaque of Broker::TableIterator): bool
+	{
+	return __table_iterator_last(it);
+	}
+
+function table_iterator_next(it: opaque of Broker::TableIterator): bool
+	{
+	return __table_iterator_next(it);
+	}
+
+function table_iterator_value(it: opaque of Broker::TableIterator): Broker::TableItem
+	{
+	return __table_iterator_value(it);
+	}
+
+function vector_create(): Broker::Data
+	{
+	return __vector_create();
+	}
+
+function vector_clear(v: Broker::Data): bool
+	{
+	return __vector_clear(v);
+	}
+
+function vector_size(v: Broker::Data): count
+	{
+	return __vector_size(v);
+	}
+
+function vector_insert(v: Broker::Data, d: Broker::Data, idx: count): bool
+	{
+	return __vector_insert(v, d, idx);
+	}
+
+function vector_replace(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_replace(v, d, idx);
+	}
+
+function vector_remove(v: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_remove(v, idx);
+	}
+
+function vector_lookup(v: Broker::Data, idx: count): Broker::Data
+	{
+	return __vector_lookup(v, idx);
+	}
+
+function vector_iterator(v: Broker::Data): opaque of Broker::VectorIterator
+	{
+	return __vector_iterator(v);
+	}
+
+function vector_iterator_last(it: opaque of Broker::VectorIterator): bool
+	{
+	return __vector_iterator_last(it);
+	}
+
+function vector_iterator_next(it: opaque of Broker::VectorIterator): bool
+	{
+	return __vector_iterator_next(it);
+	}
+
+function vector_iterator_value(it: opaque of Broker::VectorIterator): Broker::Data
+	{
+	return __vector_iterator_value(it);
+	}
+
+function record_create(sz: count): Broker::Data
+	{
+	return __record_create(sz);
+	}
+
+function record_size(r: Broker::Data): count
+	{
+	return __record_size(r);
+	}
+
+function record_assign(r: Broker::Data, d: Broker::Data, idx: count): bool
+	{
+	return __record_assign(r, d, idx);
+	}
+
+function record_lookup(r: Broker::Data, idx: count): Broker::Data
+	{
+	return __record_lookup(r, idx);
+	}
+
+function record_iterator(r: Broker::Data): opaque of Broker::RecordIterator
+	{
+	return __record_iterator(r);
+	}
+
+function record_iterator_last(it: opaque of Broker::RecordIterator): bool
+	{
+	return __record_iterator_last(it);
+	}
+
+function record_iterator_next(it: opaque of Broker::RecordIterator): bool
+	{
+	return __record_iterator_next(it);
+	}
+
+function record_iterator_value(it: opaque of Broker::RecordIterator): Broker::Data
+	{
+	return __record_iterator_value(it);
+	}
diff --git a/src/broker/data.bif b/src/broker/data.bif
index d4744f07c6..1788931d86 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -31,93 +31,44 @@ type Broker::Data: record;
 
 type Broker::TableItem: record;
 
-## Convert any Bro value to communication data.
-##
-## d: any Bro value to attempt to convert (not all types are supported).
-##
-## Returns: the converted communication data.  The returned record's optional
-##          field will not be set if the conversion was not possible (this can
-##          happen if the Bro data type does not support being converted to
-##          communication data).
-function Broker::data%(d: any%): Broker::Data
+function Broker::__data%(d: any%): Broker::Data
 	%{
 	return bro_broker::make_data_val(d);
 	%}
 
-## Retrieve the type of data associated with communication data.
-##
-## d: the communication data.
-##
-## Returns: the data type associated with the communication data.
-function Broker::data_type%(d: Broker::Data%): Broker::DataType
+function Broker::__data_type%(d: Broker::Data%): Broker::DataType
 	%{
 	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::BOOL` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_bool%(d: Broker::Data%): bool
+function Broker::__refine_to_bool%(d: Broker::Data%): bool
 	%{
 	return bro_broker::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::INT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_int%(d: Broker::Data%): int
+function Broker::__refine_to_int%(d: Broker::Data%): int
 	%{
 	return bro_broker::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::COUNT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_count%(d: Broker::Data%): count
+function Broker::__refine_to_count%(d: Broker::Data%): count
 	%{
 	return bro_broker::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::DOUBLE` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_double%(d: Broker::Data%): double
+function Broker::__refine_to_double%(d: Broker::Data%): double
 	%{
 	return bro_broker::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::STRING` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_string%(d: Broker::Data%): string
+function Broker::__refine_to_string%(d: Broker::Data%): string
 	%{
 	return new StringVal(bro_broker::require_data_type<std::string>(d->AsRecordVal(),
 												              TYPE_STRING,
 															  frame));
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::ADDR` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_addr%(d: Broker::Data%): addr
+function Broker::__refine_to_addr%(d: Broker::Data%): addr
 	%{
 	auto& a = bro_broker::require_data_type<broker::address>(d->AsRecordVal(),
 													   TYPE_ADDR, frame);
@@ -125,13 +76,7 @@ function Broker::refine_to_addr%(d: Broker::Data%): addr
 	return new AddrVal(IPAddr(*bits));
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::SUBNET` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_subnet%(d: Broker::Data%): subnet
+function Broker::__refine_to_subnet%(d: Broker::Data%): subnet
 	%{
 	auto& a = bro_broker::require_data_type<broker::subnet>(d->AsRecordVal(),
 													  TYPE_SUBNET, frame);
@@ -139,71 +84,40 @@ function Broker::refine_to_subnet%(d: Broker::Data%): subnet
 	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::PORT` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_port%(d: Broker::Data%): port
+function Broker::__refine_to_port%(d: Broker::Data%): port
 	%{
 	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
 													TYPE_SUBNET, frame);
 	return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::TIME` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_time%(d: Broker::Data%): time
+function Broker::__refine_to_time%(d: Broker::Data%): time
 	%{
 	auto v = bro_broker::require_data_type<broker::time_point>(d->AsRecordVal(),
 														TYPE_TIME, frame).value;
 	return new Val(v, TYPE_TIME);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::INTERVAL` to
-## an actual Bro value.
-##
-## d: the communication data to convert.
-##
-## Returns: the value retrieved from the communication data.
-function Broker::refine_to_interval%(d: Broker::Data%): interval
+function Broker::__refine_to_interval%(d: Broker::Data%): interval
 	%{
 	auto v = bro_broker::require_data_type<broker::time_duration>(d->AsRecordVal(),
 														TYPE_TIME, frame).value;
 	return new Val(v, TYPE_INTERVAL);
 	%}
 
-## Convert communication data with a type of :bro:see:`Broker::ENUM` to
-## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
-## the name to the actual enum value.
-##
-## d: the communication data to convert.
-##
-## Returns: the enum name retrieved from the communication data.
-function Broker::refine_to_enum_name%(d: Broker::Data%): string
+function Broker::__refine_to_enum_name%(d: Broker::Data%): string
 	%{
 	auto& v = bro_broker::require_data_type<broker::enum_value>(d->AsRecordVal(),
 														TYPE_ENUM, frame).name;
 	return new StringVal(v);
 	%}
 
-## Create communication data of type "set".
-function Broker::set_create%(%): Broker::Data
+function Broker::__set_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::set());
 	%}
 
-## Remove all elements within a set.
-##
-## s: the set to clear.
-##
-## Returns: always true.
-function Broker::set_clear%(s: Broker::Data%): bool
+function Broker::__set_clear%(s: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -211,26 +125,14 @@ function Broker::set_clear%(s: Broker::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a set.
-##
-## s: the set to query.
-##
-## Returns: the number of elements in the set.
-function Broker::set_size%(s: Broker::Data%): count
+function Broker::__set_size%(s: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-## Check if a set contains a particular element.
-##
-## s: the set to query.
-##
-## key: the element to check for existence.
-##
-## Returns: true if the key exists in the set.
-function Broker::set_contains%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_contains%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -238,14 +140,7 @@ function Broker::set_contains%(s: Broker::Data, key: Broker::Data%): bool
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
-## Insert an element into a set.
-##
-## s: the set to modify.
-##
-## key: the element to insert.
-##
-## Returns: true if the key was inserted, or false if it already existed.
-function Broker::set_insert%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_insert%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -253,14 +148,7 @@ function Broker::set_insert%(s: Broker::Data, key: Broker::Data%): bool
 	return new Val(v.insert(k).second, TYPE_BOOL);
 	%}
 
-## Remove an element from a set.
-##
-## s: the set to modify.
-##
-## key: the element to remove.
-##
-## Returns: true if the element existed in the set and is now removed.
-function Broker::set_remove%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_remove%(s: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
 												   frame);
@@ -268,37 +156,18 @@ function Broker::set_remove%(s: Broker::Data, key: Broker::Data%): bool
 	return new Val(v.erase(k) > 0, TYPE_BOOL);
 	%}
 
-## Create an iterator for a set.  Note that this makes a copy of the set
-## internally to ensure the iterator is always valid.
-##
-## s: the set to iterate over.
-##
-## Returns: an iterator.
-function Broker::set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
+function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
 	%{
 	return new bro_broker::SetIterator(s->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function Broker::set_iterator_last%(it: opaque of Broker::SetIterator%): bool
+function Broker::__set_iterator_last%(it: opaque of Broker::SetIterator%): bool
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 	return new Val(set_it->it == set_it->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function Broker::set_iterator_next%(it: opaque of Broker::SetIterator%): bool
+function Broker::__set_iterator_next%(it: opaque of Broker::SetIterator%): bool
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 
@@ -309,12 +178,7 @@ function Broker::set_iterator_next%(it: opaque of Broker::SetIterator%): bool
 	return new Val(set_it->it != set_it->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function Broker::set_iterator_value%(it: opaque of Broker::SetIterator%): Broker::Data
+function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Broker::Data
 	%{
 	auto set_it = static_cast<bro_broker::SetIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::Data);
@@ -331,18 +195,12 @@ function Broker::set_iterator_value%(it: opaque of Broker::SetIterator%): Broker
 	return rval;
 	%}
 
-## Create communication data of type "table".
-function Broker::table_create%(%): Broker::Data
+function Broker::__table_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::table());
 	%}
 
-## Remove all elements within a table.
-##
-## t: the table to clear.
-##
-## Returns: always true.
-function Broker::table_clear%(t: Broker::Data%): bool
+function Broker::__table_clear%(t: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
@@ -350,26 +208,14 @@ function Broker::table_clear%(t: Broker::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a table.
-##
-## t: the table to query.
-##
-## Returns: the number of elements in the table.
-function Broker::table_size%(t: Broker::Data%): count
+function Broker::__table_size%(t: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-## Check if a table contains a particular key.
-##
-## t: the table to query.
-##
-## key: the key to check for existence.
-##
-## Returns: true if the key exists in the table.
-function Broker::table_contains%(t: Broker::Data, key: Broker::Data%): bool
+function Broker::__table_contains%(t: Broker::Data, key: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													 TYPE_TABLE, frame);
@@ -377,17 +223,7 @@ function Broker::table_contains%(t: Broker::Data, key: Broker::Data%): bool
 	return new Val(v.find(k) != v.end(), TYPE_BOOL);
 	%}
 
-## Insert a key-value pair into a table.
-##
-## t: the table to modify.
-##
-## key: the key at which to insert the value.
-##
-## val: the value to insert.
-##
-## Returns: true if the key-value pair was inserted, or false if the key
-##          already existed in the table.
-function Broker::table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::Data%): Broker::Data
+function Broker::__table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -408,15 +244,7 @@ function Broker::table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::
 		}
 	%}
 
-## Remove a key-value pair from a table.
-##
-## t: the table to modify.
-##
-## key: the key to remove from the table.
-##
-## Returns: the value associated with the key.  If the key did not exist, then
-##          the optional field of the returned record is not set.
-function Broker::table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -433,15 +261,7 @@ function Broker::table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Dat
 		}
 	%}
 
-## Retrieve a value from a table.
-##
-## t: the table to query.
-##
-## key: the key to lookup.
-##
-## Returns: the value associated with the key.  If the key did not exist, then
-##          the optional field of the returned record is not set.
-function Broker::table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
 													     TYPE_TABLE, frame);
@@ -454,37 +274,18 @@ function Broker::table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Dat
 		return bro_broker::make_data_val(it->second);
 	%}
 
-## Create an iterator for a table.  Note that this makes a copy of the table
-## internally to ensure the iterator is always valid.
-##
-## t: the table to iterate over.
-##
-## Returns: an iterator.
-function Broker::table_iterator%(t: Broker::Data%): opaque of Broker::TableIterator
+function Broker::__table_iterator%(t: Broker::Data%): opaque of Broker::TableIterator
 	%{
 	return new bro_broker::TableIterator(t->AsRecordVal(), TYPE_TABLE, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function Broker::table_iterator_last%(it: opaque of Broker::TableIterator%): bool
+function Broker::__table_iterator_last%(it: opaque of Broker::TableIterator%): bool
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
 	return new Val(ti->it == ti->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function Broker::table_iterator_next%(it: opaque of Broker::TableIterator%): bool
+function Broker::__table_iterator_next%(it: opaque of Broker::TableIterator%): bool
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
 
@@ -495,12 +296,7 @@ function Broker::table_iterator_next%(it: opaque of Broker::TableIterator%): boo
 	return new Val(ti->it != ti->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function Broker::table_iterator_value%(it: opaque of Broker::TableIterator%): Broker::TableItem
+function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%): Broker::TableItem
 	%{
 	auto ti = static_cast<bro_broker::TableIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::TableItem);
@@ -522,18 +318,12 @@ function Broker::table_iterator_value%(it: opaque of Broker::TableIterator%): Br
 	return rval;
 	%}
 
-## Create communication data of type "vector".
-function Broker::vector_create%(%): Broker::Data
+function Broker::__vector_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::vector());
 	%}
 
-## Remove all elements within a vector.
-##
-## v: the vector to clear.
-##
-## Returns: always true.
-function Broker::vector_clear%(v: Broker::Data%): bool
+function Broker::__vector_clear%(v: Broker::Data%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -541,30 +331,14 @@ function Broker::vector_clear%(v: Broker::Data%): bool
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Get the number of elements within a vector.
-##
-## v: the vector to query.
-##
-## Returns: the number of elements in the vector.
-function Broker::vector_size%(v: Broker::Data%): count
+function Broker::__vector_size%(v: Broker::Data%): count
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
 
-## Insert an element into a vector at a particular position, possibly displacing
-## existing elements (insertion always grows the size of the vector by one).
-##
-## v: the vector to modify.
-##
-## d: the element to insert.
-##
-## idx: the index at which to insert the data.  If it is greater than the
-##      current size of the vector, the element is inserted at the end.
-##
-## Returns: always true.
-function Broker::vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -574,17 +348,7 @@ function Broker::vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%):
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Replace an element in a vector at a particular position.
-##
-## v: the vector to modify.
-##
-## d: the element to insert.
-##
-## idx: the index to replace.
-##
-## Returns: the value that was just evicted.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function Broker::vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%): Broker::Data
+function Broker::__vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -598,15 +362,7 @@ function Broker::vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%):
 	return rval;
 	%}
 
-## Remove an element from a vector at a particular position.
-##
-## v: the vector to modify.
-##
-## idx: the index to remove.
-##
-## Returns: the value that was just evicted.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function Broker::vector_remove%(v: Broker::Data, idx: count%): Broker::Data
+function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -619,15 +375,7 @@ function Broker::vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 	return rval;
 	%}
 
-## Lookup an element in a vector at a particular position.
-##
-## v: the vector to query.
-##
-## idx: the index to lookup.
-##
-## Returns: the value at the index.  If the index was larger than any
-##          valid index, the optional field of the returned record is not set.
-function Broker::vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
+function Broker::__vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
 													    TYPE_VECTOR, frame);
@@ -638,37 +386,18 @@ function Broker::vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
 	return bro_broker::make_data_val(vec[idx]);
 	%}
 
-## Create an iterator for a vector.  Note that this makes a copy of the vector
-## internally to ensure the iterator is always valid.
-##
-## v: the vector to iterate over.
-##
-## Returns: an iterator.
-function Broker::vector_iterator%(v: Broker::Data%): opaque of Broker::VectorIterator
+function Broker::__vector_iterator%(v: Broker::Data%): opaque of Broker::VectorIterator
 	%{
 	return new bro_broker::VectorIterator(v->AsRecordVal(), TYPE_VECTOR, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function Broker::vector_iterator_last%(it: opaque of Broker::VectorIterator%): bool
+function Broker::__vector_iterator_last%(it: opaque of Broker::VectorIterator%): bool
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 	return new Val(vi->it == vi->dat.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function Broker::vector_iterator_next%(it: opaque of Broker::VectorIterator%): bool
+function Broker::__vector_iterator_next%(it: opaque of Broker::VectorIterator%): bool
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 
@@ -679,12 +408,7 @@ function Broker::vector_iterator_next%(it: opaque of Broker::VectorIterator%): b
 	return new Val(vi->it != vi->dat.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function Broker::vector_iterator_value%(it: opaque of Broker::VectorIterator%): Broker::Data
+function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%): Broker::Data
 	%{
 	auto vi = static_cast<bro_broker::VectorIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::Data);
@@ -701,38 +425,19 @@ function Broker::vector_iterator_value%(it: opaque of Broker::VectorIterator%):
 	return rval;
 	%}
 
-## Create communication data of type "record".
-##
-## sz: the number of fields in the record.
-##
-## Returns: record data, with all fields uninitialized.
-function Broker::record_create%(sz: count%): Broker::Data
+function Broker::__record_create%(sz: count%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
 	%}
 
-## Get the number of fields within a record.
-##
-## r: the record to query.
-##
-## Returns: the number of fields in the record.
-function Broker::record_size%(r: Broker::Data%): count
+function Broker::__record_size%(r: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
 	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
 	%}
 
-## Replace a field in a record at a particular position.
-##
-## r: the record to modify.
-##
-## d: the new field value to assign.
-##
-## idx: the index to replace.
-##
-## Returns: false if the index was larger than any valid index, else true.
-function Broker::record_assign%(r: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__record_assign%(r: Broker::Data, d: Broker::Data, idx: count%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
@@ -745,16 +450,7 @@ function Broker::record_assign%(r: Broker::Data, d: Broker::Data, idx: count%):
 	return new Val(true, TYPE_BOOL);
 	%}
 
-## Lookup a field in a record at a particular position.
-##
-## r: the record to query.
-##
-## idx: the index to lookup.
-##
-## Returns: the value at the index.  The optional field of the returned record
-##          may not be set if the field of the record has no value or if the
-##          index was not valid.
-function Broker::record_lookup%(r: Broker::Data, idx: count%): Broker::Data
+function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
 													  TYPE_RECORD, frame);
@@ -768,37 +464,18 @@ function Broker::record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	return bro_broker::make_data_val(*v.fields[idx]);
 	%}
 
-## Create an iterator for a record.  Note that this makes a copy of the record
-## internally to ensure the iterator is always valid.
-##
-## r: the record to iterate over.
-##
-## Returns: an iterator.
-function Broker::record_iterator%(r: Broker::Data%): opaque of Broker::RecordIterator
+function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordIterator
 	%{
 	return new bro_broker::RecordIterator(r->AsRecordVal(), TYPE_RECORD, frame);
 	%}
 
-## Check if there are no more elements to iterate over.
-##
-## it: an iterator.
-##
-## Returns: true if there are no more elements to iterator over, i.e.
-##          the iterator is one-past-the-final-element.
-function Broker::record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
+function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
-## Advance an iterator.
-##
-## it: an iterator.
-##
-## Returns: true if the iterator, after advancing, still references an element
-##          in the collection.  False if the iterator, after advancing, is
-##          one-past-the-final-element.
-function Broker::record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
+function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 
@@ -809,12 +486,7 @@ function Broker::record_iterator_next%(it: opaque of Broker::RecordIterator%): b
 	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
 	%}
 
-## Retrieve the data at an iterator's current position.
-##
-## it: an iterator.
-##
-## Returns: element in the collection that the iterator currently references.
-function Broker::record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data
+function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::Data);
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 7e55509a86..acb451c71f 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-26-21-21-19
+#open	2016-04-27-02-37-50
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -20,6 +20,7 @@ scripts/base/init-bare.bro
       build/scripts/base/bif/comm.bif.bro
       build/scripts/base/bif/messaging.bif.bro
     scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
       build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -54,7 +55,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/data.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -131,4 +131,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-04-26-21-21-19
+#close	2016-04-27-02-37-50
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 075a7c1389..3a1a811a8d 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-26-21-21-31
+#open	2016-04-27-02-38-00
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -20,6 +20,7 @@ scripts/base/init-bare.bro
       build/scripts/base/bif/comm.bif.bro
       build/scripts/base/bif/messaging.bif.bro
     scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
       build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -54,7 +55,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/data.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -302,4 +302,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-04-26-21-21-31
+#close	2016-04-27-02-38-00
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index a39e6d8dd8..9c12980f9e 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -230,7 +230,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -351,7 +351,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -572,6 +572,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/data.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
@@ -873,7 +874,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -994,7 +995,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1215,6 +1216,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
 0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
 0.000000   MetaHookPre   LoadFile(base<...>/control)
+0.000000   MetaHookPre   LoadFile(base<...>/data.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
 0.000000   MetaHookPre   LoadFile(base<...>/dir)
 0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
@@ -1515,7 +1517,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1636,7 +1638,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461705704.402549, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461724691.655146, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()

From b1876bf744fafb6fb723716ef64103a952014be4 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Apr 2016 22:30:12 -0500
Subject: [PATCH 10/17] Code cleanup for some broker tests

Simplified some function names, fixed some names of broker script wrappers,
reorder some broker function calls to avoid potential race conditions, and
don't have bro read a trace file when it will not be used.
---
 testing/btest/broker/clone_store.bro          |  4 +-
 testing/btest/broker/connection_updates.bro   |  6 +--
 testing/btest/broker/data.bro                 | 52 +++++++++----------
 testing/btest/broker/remote_print.test        |  2 +-
 .../btest/core/leaks/broker/clone_store.bro   |  4 +-
 testing/btest/core/leaks/broker/data.bro      | 52 +++++++++----------
 .../btest/core/leaks/broker/remote_event.test |  8 +--
 .../btest/core/leaks/broker/remote_log.test   |  2 +-
 .../btest/core/leaks/broker/remote_print.test |  8 +--
 9 files changed, 69 insertions(+), 69 deletions(-)

diff --git a/testing/btest/broker/clone_store.bro b/testing/btest/broker/clone_store.bro
index b761fc56ad..c810a0d209 100644
--- a/testing/btest/broker/clone_store.bro
+++ b/testing/btest/broker/clone_store.bro
@@ -1,8 +1,8 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 
-# @TEST-EXEC: btest-bg-run clone "bro -b -r $TRACES/wikipedia.trace ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b -r $TRACES/wikipedia.trace ../master.bro broker_port=$BROKER_PORT >master.out"
+# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
 
 # @TEST-EXEC: btest-bg-wait 60
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
diff --git a/testing/btest/broker/connection_updates.bro b/testing/btest/broker/connection_updates.bro
index 032049e5ef..bd08fff924 100644
--- a/testing/btest/broker/connection_updates.bro
+++ b/testing/btest/broker/connection_updates.bro
@@ -22,12 +22,12 @@ event bro_init()
 
 event Broker::incoming_connection_established(peer_name: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;;
+	print "Broker::incoming_connection_established", peer_name;
 	}
 
 event Broker::incoming_connection_broken(peer_name: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;;
+	print "Broker::incoming_connection_broken", peer_name;
 	terminate();
 	}
 
@@ -50,7 +50,7 @@ event Broker::outgoing_connection_established(peer_address: string,
                                             peer_name: string)
 	{
 	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;;
+	      peer_address, peer_port, peer_name;
 	terminate();
 	}
 
diff --git a/testing/btest/broker/data.bro b/testing/btest/broker/data.bro
index d8f4c2f8b5..dc05d4142d 100644
--- a/testing/btest/broker/data.bro
+++ b/testing/btest/broker/data.bro
@@ -13,7 +13,7 @@ type bro_record : record {
 	c: count;
 };
 
-function comm_record_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
+function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
                                            rval: bro_record,
                                            idx: count): bro_record
 	{
@@ -37,17 +37,17 @@ function comm_record_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
 
 	++idx;
 	Broker::record_iterator_next(it);
-	return comm_record_to_bro_record_recurse(it, rval, idx);
+	return broker_to_bro_record_recurse(it, rval, idx);
 	}
 
-function comm_record_to_bro_record(d: Broker::Data): bro_record
+function broker_to_bro_record(d: Broker::Data): bro_record
 	{
-	return comm_record_to_bro_record_recurse(Broker::record_iterator(d),
+	return broker_to_bro_record_recurse(Broker::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 
 function
-comm_set_to_bro_set_recurse(it: opaque of Broker::SetIterator,
+broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
                             rval: bro_set): bro_set
 	{
 	if ( Broker::set_iterator_last(it) )
@@ -55,17 +55,17 @@ comm_set_to_bro_set_recurse(it: opaque of Broker::SetIterator,
 
 	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
 	Broker::set_iterator_next(it);
-	return comm_set_to_bro_set_recurse(it, rval);
+	return broker_to_bro_set_recurse(it, rval);
 	}
 
 
-function comm_set_to_bro_set(d: Broker::Data): bro_set
+function broker_to_bro_set(d: Broker::Data): bro_set
 	{
-	return comm_set_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
+	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
 	}
 
 function
-comm_table_to_bro_table_recurse(it: opaque of Broker::TableIterator,
+broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
                                 rval: bro_table): bro_table
 	{
 	if ( Broker::table_iterator_last(it) )
@@ -74,16 +74,16 @@ comm_table_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 	local item = Broker::table_iterator_value(it);
 	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
 	Broker::table_iterator_next(it);
-	return comm_table_to_bro_table_recurse(it, rval);
+	return broker_to_bro_table_recurse(it, rval);
 	}
 
-function comm_table_to_bro_table(d: Broker::Data): bro_table
+function broker_to_bro_table(d: Broker::Data): bro_table
 	{
-	return comm_table_to_bro_table_recurse(Broker::table_iterator(d),
+	return broker_to_bro_table_recurse(Broker::table_iterator(d),
 	                                       bro_table());
 	}
 
-function comm_vector_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
+function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
                                            rval: bro_vector): bro_vector
 	{
 	if ( Broker::vector_iterator_last(it) )
@@ -91,12 +91,12 @@ function comm_vector_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
 
 	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
 	Broker::vector_iterator_next(it);
-	return comm_vector_to_bro_vector_recurse(it, rval);
+	return broker_to_bro_vector_recurse(it, rval);
 	}
 
-function comm_vector_to_bro_vector(d: Broker::Data): bro_vector
+function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
-	return comm_vector_to_bro_vector_recurse(Broker::vector_iterator(d),
+	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
 	                                         bro_vector());
 	}
 
@@ -145,7 +145,7 @@ print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 print "***************************";
 
 local cs = Broker::data(s);
-print comm_set_to_bro_set(cs);
+print broker_to_bro_set(cs);
 cs = Broker::set_create();
 print Broker::set_size(cs);
 print Broker::set_insert(cs, Broker::data("hi"));
@@ -157,14 +157,14 @@ print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
-print comm_set_to_bro_set(cs);
+print broker_to_bro_set(cs);
 Broker::set_clear(cs);
 print Broker::set_size(cs);
 
 print "***************************";
 
 local ct = Broker::data(t);
-print comm_table_to_bro_table(ct);
+print broker_to_bro_table(ct);
 ct = Broker::table_create();
 print Broker::table_size(ct);
 print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
@@ -183,33 +183,33 @@ print Broker::table_size(ct);
 print "***************************";
 
 local cv = Broker::data(v);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
 print Broker::vector_insert(cv, Broker::data("hi"), 0);
 print Broker::vector_insert(cv, Broker::data("hello"), 1);
 print Broker::vector_insert(cv, Broker::data("greetings"), 2);
 print Broker::vector_insert(cv, Broker::data("salutations"), 1);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
 print Broker::vector_replace(cv, Broker::data("bah"), 2);
 print Broker::vector_lookup(cv, 2);
 print Broker::vector_lookup(cv, 0);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_remove(cv, 2);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
 
 print "***************************";
 
 local cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 r$a = "test";
 cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 r$b = "testagain";
 cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
 print Broker::record_assign(cr, Broker::data("hi"), 0);
diff --git a/testing/btest/broker/remote_print.test b/testing/btest/broker/remote_print.test
index 9cfcc44ca9..e8e9e0f71d 100644
--- a/testing/btest/broker/remote_print.test
+++ b/testing/btest/broker/remote_print.test
@@ -16,8 +16,8 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
 	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
 	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global messages_to_recv = 6;
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index 09308eb42e..a02e3b2880 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -51,8 +51,8 @@ event ready()
 event bro_init()
 	{
 	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
 	Broker::subscribe_to_events("bro/event/ready");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 @TEST-END-FILE
@@ -105,9 +105,9 @@ event Broker::outgoing_connection_established(peer_address: string,
 event bro_init()
 	{
 	Broker::enable();
+	Broker::auto_event("bro/event/ready", ready);
 	h = Broker::create_master("mystore");
 	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index 0902f6e862..146554c879 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -16,7 +16,7 @@ type bro_record : record {
 	c: count;
 };
 
-function comm_record_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
+function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
                                            rval: bro_record,
                                            idx: count): bro_record
 	{
@@ -40,17 +40,17 @@ function comm_record_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
 
 	++idx;
 	Broker::record_iterator_next(it);
-	return comm_record_to_bro_record_recurse(it, rval, idx);
+	return broker_to_bro_record_recurse(it, rval, idx);
 	}
 
-function comm_record_to_bro_record(d: Broker::Data): bro_record
+function broker_to_bro_record(d: Broker::Data): bro_record
 	{
-	return comm_record_to_bro_record_recurse(Broker::record_iterator(d),
+	return broker_to_bro_record_recurse(Broker::record_iterator(d),
 	                                         bro_record($c = 0), 0);
 	}
 
 function
-comm_set_to_bro_set_recurse(it: opaque of Broker::SetIterator,
+broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
                             rval: bro_set): bro_set
 	{
 	if ( Broker::set_iterator_last(it) )
@@ -58,17 +58,17 @@ comm_set_to_bro_set_recurse(it: opaque of Broker::SetIterator,
 
 	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
 	Broker::set_iterator_next(it);
-	return comm_set_to_bro_set_recurse(it, rval);
+	return broker_to_bro_set_recurse(it, rval);
 	}
 
 
-function comm_set_to_bro_set(d: Broker::Data): bro_set
+function broker_to_bro_set(d: Broker::Data): bro_set
 	{
-	return comm_set_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
+	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
 	}
 
 function
-comm_table_to_bro_table_recurse(it: opaque of Broker::TableIterator,
+broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
                                 rval: bro_table): bro_table
 	{
 	if ( Broker::table_iterator_last(it) )
@@ -77,16 +77,16 @@ comm_table_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 	local item = Broker::table_iterator_value(it);
 	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
 	Broker::table_iterator_next(it);
-	return comm_table_to_bro_table_recurse(it, rval);
+	return broker_to_bro_table_recurse(it, rval);
 	}
 
-function comm_table_to_bro_table(d: Broker::Data): bro_table
+function broker_to_bro_table(d: Broker::Data): bro_table
 	{
-	return comm_table_to_bro_table_recurse(Broker::table_iterator(d),
+	return broker_to_bro_table_recurse(Broker::table_iterator(d),
 	                                       bro_table());
 	}
 
-function comm_vector_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
+function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
                                            rval: bro_vector): bro_vector
 	{
 	if ( Broker::vector_iterator_last(it) )
@@ -94,12 +94,12 @@ function comm_vector_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
 
 	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
 	Broker::vector_iterator_next(it);
-	return comm_vector_to_bro_vector_recurse(it, rval);
+	return broker_to_bro_vector_recurse(it, rval);
 	}
 
-function comm_vector_to_bro_vector(d: Broker::Data): bro_vector
+function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
-	return comm_vector_to_bro_vector_recurse(Broker::vector_iterator(d),
+	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
 	                                         bro_vector());
 	}
 
@@ -156,7 +156,7 @@ print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 print "***************************";
 
 local cs = Broker::data(s);
-print comm_set_to_bro_set(cs);
+print broker_to_bro_set(cs);
 cs = Broker::set_create();
 print Broker::set_size(cs);
 print Broker::set_insert(cs, Broker::data("hi"));
@@ -168,14 +168,14 @@ print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
-print comm_set_to_bro_set(cs);
+print broker_to_bro_set(cs);
 Broker::set_clear(cs);
 print Broker::set_size(cs);
 
 print "***************************";
 
 local ct = Broker::data(t);
-print comm_table_to_bro_table(ct);
+print broker_to_bro_table(ct);
 ct = Broker::table_create();
 print Broker::table_size(ct);
 print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
@@ -194,33 +194,33 @@ print Broker::table_size(ct);
 print "***************************";
 
 local cv = Broker::data(v);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
 print Broker::vector_insert(cv, Broker::data("hi"), 0);
 print Broker::vector_insert(cv, Broker::data("hello"), 1);
 print Broker::vector_insert(cv, Broker::data("greetings"), 2);
 print Broker::vector_insert(cv, Broker::data("salutations"), 1);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
 print Broker::vector_replace(cv, Broker::data("bah"), 2);
 print Broker::vector_lookup(cv, 2);
 print Broker::vector_lookup(cv, 0);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_remove(cv, 2);
-print comm_vector_to_bro_vector(cv);
+print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
 
 print "***************************";
 
 local cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 r$a = "test";
 cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 r$b = "testagain";
 cr = Broker::data(r);
-print comm_record_to_bro_record(cr);
+print broker_to_bro_record(cr);
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
 print Broker::record_assign(cr, Broker::data("hi"), 0);
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index 731f001f8f..c68a9e5beb 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -21,9 +21,9 @@ global auto_event_handler: event(msg: string, c: count);
 event bro_init()
 	{
 	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
 	Broker::subscribe_to_events("bro/event/");
 	Broker::auto_event("bro/event/my_topic", auto_event_handler);
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global event_count = 0;
@@ -42,7 +42,7 @@ event event_handler(msg: string, n: count)
 
 	event auto_event_handler(msg, n);
 	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::event("bro/event/my_topic", args);
+	Broker::send_event("bro/event/my_topic", args);
 	}
 
 @TEST-END-FILE
@@ -70,7 +70,7 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established", peer_address, peer_port;
 	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::event("bro/event/hi", args);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
@@ -84,7 +84,7 @@ event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
 	local args = Broker::event_args(event_handler, "ping", event_count);
-    Broker::event("bro/event/hi", args);
+	Broker::send_event("bro/event/hi", args);
 	++event_count;
 	}
 
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index 12602115a4..bf608dd459 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -42,8 +42,8 @@ redef exit_only_after_terminate = T;
 
 event bro_init()
 	{
-	Broker::listen(broker_port, "127.0.0.1");
 	Broker::subscribe_to_logs("bro/log/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 event Test::log_test(rec: Test::Info)
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
index 623097b091..34266ebf4c 100644
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@@ -18,8 +18,8 @@ redef exit_only_after_terminate = T;
 event bro_init()
 	{
 	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
 	Broker::subscribe_to_prints("bro/print/");
+	Broker::listen(broker_port, "127.0.0.1");
 	}
 
 global messages_to_recv = 6;
@@ -37,7 +37,7 @@ event Broker::print_handler(msg: string)
 		return;
 		}
 
-	Broker::print("bro/print/my_topic", fmt("pong %d", messages_sent));
+	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -64,7 +64,7 @@ event Broker::outgoing_connection_established(peer_address: string,
                                             peer_name: string)
 	{
 	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 
@@ -78,7 +78,7 @@ event Broker::print_handler(msg: string)
 	{
 	++messages_recv;
 	print "got print msg", msg;
-	Broker::print("bro/print/hi", fmt("ping %d", messages_sent));
+	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
 	++messages_sent;
 	}
 

From fbab6490ec56ecd24f51e315a8a99acf63a9a70e Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Apr 2016 23:03:28 -0500
Subject: [PATCH 11/17] Add missing tests for broker data BIFs

Added tests for the table_clear and vector_clear BIFs, and added
more tests for container types (e.g. adding the same element twice
to a set or table, or overwriting a record field value, etc.).
Also reorganized several test cases.
---
 testing/btest/Baseline/broker.data/out | 37 +++++++++++----
 testing/btest/broker/data.bro          | 63 ++++++++++++++++++++------
 2 files changed, 76 insertions(+), 24 deletions(-)

diff --git a/testing/btest/Baseline/broker.data/out b/testing/btest/Baseline/broker.data/out
index 281eb9b316..8703ca6a0c 100644
--- a/testing/btest/Baseline/broker.data/out
+++ b/testing/btest/Baseline/broker.data/out
@@ -30,12 +30,21 @@ hello
 42.0
 180.0
 Broker::BOOL
-***************************
 {
 two,
 one,
 three
 }
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+***************************
 0
 T
 1
@@ -43,19 +52,20 @@ T
 F
 T
 2
+F
+2
 T
 1
 F
 {
 bye
 }
+T
 0
-***************************
 {
-[two] = 2,
-[one] = 1,
-[three] = 3
+
 }
+***************************
 0
 [d=<uninitialized>]
 1
@@ -69,8 +79,14 @@ F
 37
 [d=broker::data{42}]
 1
+[d=<uninitialized>]
+1
+T
+0
+{
+
+}
 ***************************
-[zero, one, two]
 0
 T
 T
@@ -85,10 +101,10 @@ T
 [d=broker::data{bah}]
 [hi, salutations, greetings]
 3
+T
+0
+[]
 ***************************
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
 3
 T
 T
@@ -97,3 +113,6 @@ T
 [d=broker::data{hello}]
 [d=broker::data{37}]
 3
+T
+3
+[d=broker::data{goodbye}]
diff --git a/testing/btest/broker/data.bro b/testing/btest/broker/data.bro
index dc05d4142d..ab51caf68d 100644
--- a/testing/btest/broker/data.bro
+++ b/testing/btest/broker/data.bro
@@ -103,6 +103,9 @@ function broker_to_bro_vector(d: Broker::Data): bro_vector
 event bro_init()
 {
 Broker::enable();
+
+### Print every broker data type
+
 print Broker::data_type(Broker::data(T));
 print Broker::data_type(Broker::data(+1));
 print Broker::data_type(Broker::data(1));
@@ -125,6 +128,8 @@ print Broker::data_type(Broker::data(r));
 
 print "***************************";
 
+### Convert a Bro value to a broker value, then print the result
+
 print Broker::refine_to_bool(Broker::data(T));
 print Broker::refine_to_bool(Broker::data(F));
 print Broker::refine_to_int(Broker::data(+1));
@@ -142,10 +147,30 @@ print Broker::refine_to_time(Broker::data(double_to_time(42)));
 print Broker::refine_to_interval(Broker::data(3min));
 print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 
-print "***************************";
-
 local cs = Broker::data(s);
 print broker_to_bro_set(cs);
+
+local ct = Broker::data(t);
+print broker_to_bro_table(ct);
+
+local cv = Broker::data(v);
+print broker_to_bro_vector(cv);
+
+local cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+r$a = "test";
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+r$b = "testagain";
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+print "***************************";
+
+### Test the broker set BIFs
+
 cs = Broker::set_create();
 print Broker::set_size(cs);
 print Broker::set_insert(cs, Broker::data("hi"));
@@ -154,17 +179,20 @@ print Broker::set_contains(cs, Broker::data("hi"));
 print Broker::set_contains(cs, Broker::data("bye"));
 print Broker::set_insert(cs, Broker::data("bye"));
 print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print broker_to_bro_set(cs);
-Broker::set_clear(cs);
+print Broker::set_clear(cs);
 print Broker::set_size(cs);
+print broker_to_bro_set(cs);
 
 print "***************************";
 
-local ct = Broker::data(t);
-print broker_to_bro_table(ct);
+### Test the broker table BIFs
+
 ct = Broker::table_create();
 print Broker::table_size(ct);
 print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
@@ -179,11 +207,16 @@ print Broker::table_size(ct);
 print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
 print Broker::table_remove(ct, Broker::data("hi"));
 print Broker::table_size(ct);
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_clear(ct);
+print Broker::table_size(ct);
+print broker_to_bro_table(ct);
 
 print "***************************";
 
-local cv = Broker::data(v);
-print broker_to_bro_vector(cv);
+### Test the broker vector BIFs
+
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
 print Broker::vector_insert(cv, Broker::data("hi"), 0);
@@ -199,17 +232,14 @@ print broker_to_bro_vector(cv);
 print Broker::vector_remove(cv, 2);
 print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
+print Broker::vector_clear(cv);
+print Broker::vector_size(cv);
+print broker_to_bro_vector(cv);
 
 print "***************************";
 
-local cr = Broker::data(r);
-print broker_to_bro_record(cr);
-r$a = "test";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-r$b = "testagain";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
+### Test the broker record BIFs
+
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
 print Broker::record_assign(cr, Broker::data("hi"), 0);
@@ -219,4 +249,7 @@ print Broker::record_lookup(cr, 0);
 print Broker::record_lookup(cr, 1);
 print Broker::record_lookup(cr, 2);
 print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_size(cr);
+print Broker::record_lookup(cr, 1);
 }

From f5361fb27c8b98249d50146c37be34787ecdba01 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Apr 2016 23:34:39 -0500
Subject: [PATCH 12/17] Sync the core/leaks/broker/data.bro test with
 broker/data.bro

---
 .../core.leaks.broker.data/bro..stdout        | 37 +++++++---
 testing/btest/core/leaks/broker/data.bro      | 69 ++++++++++++++-----
 2 files changed, 79 insertions(+), 27 deletions(-)

diff --git a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
index 281eb9b316..8703ca6a0c 100644
--- a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@@ -30,12 +30,21 @@ hello
 42.0
 180.0
 Broker::BOOL
-***************************
 {
 two,
 one,
 three
 }
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[a=<uninitialized>, b=bee, c=1]
+[a=test, b=bee, c=1]
+[a=test, b=testagain, c=1]
+***************************
 0
 T
 1
@@ -43,19 +52,20 @@ T
 F
 T
 2
+F
+2
 T
 1
 F
 {
 bye
 }
+T
 0
-***************************
 {
-[two] = 2,
-[one] = 1,
-[three] = 3
+
 }
+***************************
 0
 [d=<uninitialized>]
 1
@@ -69,8 +79,14 @@ F
 37
 [d=broker::data{42}]
 1
+[d=<uninitialized>]
+1
+T
+0
+{
+
+}
 ***************************
-[zero, one, two]
 0
 T
 T
@@ -85,10 +101,10 @@ T
 [d=broker::data{bah}]
 [hi, salutations, greetings]
 3
+T
+0
+[]
 ***************************
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
 3
 T
 T
@@ -97,3 +113,6 @@ T
 [d=broker::data{hello}]
 [d=broker::data{37}]
 3
+T
+3
+[d=broker::data{goodbye}]
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index 146554c879..5ce53b93dd 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -104,16 +104,19 @@ function broker_to_bro_vector(d: Broker::Data): bro_vector
 	}
 
 event bro_init()
-	{
+{
 Broker::enable();
-	}
+}
 
 global did_it = F;
 
 event new_connection(c: connection)
-	{
+{
 if ( did_it ) return;
 did_it = T;
+
+### Print every broker data type
+
 print Broker::data_type(Broker::data(T));
 print Broker::data_type(Broker::data(+1));
 print Broker::data_type(Broker::data(1));
@@ -136,6 +139,8 @@ print Broker::data_type(Broker::data(r));
 
 print "***************************";
 
+### Convert a Bro value to a broker value, then print the result
+
 print Broker::refine_to_bool(Broker::data(T));
 print Broker::refine_to_bool(Broker::data(F));
 print Broker::refine_to_int(Broker::data(+1));
@@ -153,10 +158,30 @@ print Broker::refine_to_time(Broker::data(double_to_time(42)));
 print Broker::refine_to_interval(Broker::data(3min));
 print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
 
-print "***************************";
-
 local cs = Broker::data(s);
 print broker_to_bro_set(cs);
+
+local ct = Broker::data(t);
+print broker_to_bro_table(ct);
+
+local cv = Broker::data(v);
+print broker_to_bro_vector(cv);
+
+local cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+r$a = "test";
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+r$b = "testagain";
+cr = Broker::data(r);
+print broker_to_bro_record(cr);
+
+print "***************************";
+
+### Test the broker set BIFs
+
 cs = Broker::set_create();
 print Broker::set_size(cs);
 print Broker::set_insert(cs, Broker::data("hi"));
@@ -165,17 +190,20 @@ print Broker::set_contains(cs, Broker::data("hi"));
 print Broker::set_contains(cs, Broker::data("bye"));
 print Broker::set_insert(cs, Broker::data("bye"));
 print Broker::set_size(cs);
+print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print Broker::set_size(cs);
 print Broker::set_remove(cs, Broker::data("hi"));
 print broker_to_bro_set(cs);
-Broker::set_clear(cs);
+print Broker::set_clear(cs);
 print Broker::set_size(cs);
+print broker_to_bro_set(cs);
 
 print "***************************";
 
-local ct = Broker::data(t);
-print broker_to_bro_table(ct);
+### Test the broker table BIFs
+
 ct = Broker::table_create();
 print Broker::table_size(ct);
 print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
@@ -190,11 +218,16 @@ print Broker::table_size(ct);
 print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
 print Broker::table_remove(ct, Broker::data("hi"));
 print Broker::table_size(ct);
+print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_size(ct);
+print Broker::table_clear(ct);
+print Broker::table_size(ct);
+print broker_to_bro_table(ct);
 
 print "***************************";
 
-local cv = Broker::data(v);
-print broker_to_bro_vector(cv);
+### Test the broker vector BIFs
+
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
 print Broker::vector_insert(cv, Broker::data("hi"), 0);
@@ -210,17 +243,14 @@ print broker_to_bro_vector(cv);
 print Broker::vector_remove(cv, 2);
 print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
+print Broker::vector_clear(cv);
+print Broker::vector_size(cv);
+print broker_to_bro_vector(cv);
 
 print "***************************";
 
-local cr = Broker::data(r);
-print broker_to_bro_record(cr);
-r$a = "test";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-r$b = "testagain";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
+### Test the broker record BIFs
+
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
 print Broker::record_assign(cr, Broker::data("hi"), 0);
@@ -230,4 +260,7 @@ print Broker::record_lookup(cr, 0);
 print Broker::record_lookup(cr, 1);
 print Broker::record_lookup(cr, 2);
 print Broker::record_size(cr);
+print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_size(cr);
+print Broker::record_lookup(cr, 1);
 }

From 12eb7a380ddf723125712f176bf91d3ba133d3fa Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 27 Apr 2016 00:47:48 -0500
Subject: [PATCH 13/17] Rename broker BIF wrapper functions in a few more
 places

---
 doc/frameworks/broker.rst                                 | 8 ++++----
 doc/frameworks/broker/events-connector.bro                | 6 +++---
 doc/frameworks/broker/printing-connector.bro              | 6 +++---
 .../output                                                | 6 +++---
 .../output                                                | 6 +++---
 ...clude-doc_frameworks_broker_events-connector_bro.btest | 6 +++---
 ...ude-doc_frameworks_broker_printing-connector_bro.btest | 6 +++---
 7 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 328c465c18..9c9ed89514 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -45,7 +45,7 @@ received.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro
 
-To send remote print messages, just call :bro:see:`Broker::print`.
+To send remote print messages, just call :bro:see:`Broker::send_print`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro
 
@@ -75,7 +75,7 @@ new events along with handlers that peers may want to send.
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
 
 There are two different ways to send events.  The first is to call the
-:bro:see:`Broker::event` function directly.  The second option is to call
+:bro:see:`Broker::send_event` function directly.  The second option is to call
 the :bro:see:`Broker::auto_event` function where you specify a
 particular event that will be automatically sent to peers whenever the
 event is called locally via the normal event invocation syntax.
@@ -144,8 +144,8 @@ If not using the ``auto_publish`` flag, one can use the
 functions to manipulate the set of message topics (must match exactly)
 that are allowed to be sent to peer endpoints.  These settings take
 precedence over the per-message ``peers`` flag supplied to functions
-that take a :bro:see:`Broker::SendFlags` such as :bro:see:`Broker::print`,
-:bro:see:`Broker::event`, :bro:see:`Broker::auto_event` or
+that take a :bro:see:`Broker::SendFlags` such as :bro:see:`Broker::send_print`,
+:bro:see:`Broker::send_event`, :bro:see:`Broker::auto_event` or
 :bro:see:`Broker::enable_remote_logs`.
 
 If not using the ``auto_advertise`` flag, one can use the
diff --git a/doc/frameworks/broker/events-connector.bro b/doc/frameworks/broker/events-connector.bro
index 19a617c9cd..437e197925 100644
--- a/doc/frameworks/broker/events-connector.bro
+++ b/doc/frameworks/broker/events-connector.bro
@@ -17,11 +17,11 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,
diff --git a/doc/frameworks/broker/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro
index 0ab14d926b..42d961669a 100644
--- a/doc/frameworks/broker/printing-connector.bro
+++ b/doc/frameworks/broker/printing-connector.bro
@@ -14,9 +14,9 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::print("bro/print/hi", "hello");
-	Broker::print("bro/print/stuff", "...");
-	Broker::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
index 8a88bde1c2..d7a0e64be2 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
@@ -21,11 +21,11 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
index f332f6e4ca..91ee179fe6 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
@@ -18,9 +18,9 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::print("bro/print/hi", "hello");
-	Broker::print("bro/print/stuff", "...");
-	Broker::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
index 8a88bde1c2..d7a0e64be2 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
@@ -21,11 +21,11 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
 	event my_auto_event("stuff", 88);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
 	event my_auto_event("more stuff", 51);
-	Broker::event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
index f332f6e4ca..91ee179fe6 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
@@ -18,9 +18,9 @@ event Broker::outgoing_connection_established(peer_address: string,
 	{
 	print "Broker::outgoing_connection_established",
 	      peer_address, peer_port, peer_name;
-	Broker::print("bro/print/hi", "hello");
-	Broker::print("bro/print/stuff", "...");
-	Broker::print("bro/print/bye", "goodbye");
+	Broker::send_print("bro/print/hi", "hello");
+	Broker::send_print("bro/print/stuff", "...");
+	Broker::send_print("bro/print/bye", "goodbye");
 	}
 
 event Broker::outgoing_connection_broken(peer_address: string,

From cd2ec7c49522629f2013f2ada5d8ad54dedf1103 Mon Sep 17 00:00:00 2001
From: Vitaly Repin <vitaly.repin@gmail.com>
Date: Thu, 28 Apr 2016 11:10:52 +0300
Subject: [PATCH 14/17] Unknown data link type error message printed out
 props.link_type instead of arg_props.link_type. It lead to the meaningless
 and misleading output (E.g.: 'unknown data link type 0xffffffff')

---
 src/iosource/PktSrc.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index 8db9db6ef1..025432eba3 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -91,7 +91,7 @@ void PktSrc::Opened(const Properties& arg_props)
 		{
 		char buf[512];
 		safe_snprintf(buf, sizeof(buf),
-			 "unknown data link type 0x%x", props.link_type);
+			 "unknown data link type 0x%x", arg_props.link_type);
 		Error(buf);
 		Close();
 		return;

From 380963b5063d53953462fa36452f12ac81bdc376 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 28 Apr 2016 10:06:01 -0700
Subject: [PATCH 15/17] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 424d40c1e8..edbbe445d9 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 424d40c1e8d5888311b50c0e5a9dfc9c5f818b66
+Subproject commit edbbe445d92cc6a5c2557661195f486b784769db
diff --git a/aux/bro-aux b/aux/bro-aux
index 105dfe4ad6..cb771a3cf5 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 105dfe4ad6c4ae4563b21cb0466ee350f0af0d43
+Subproject commit cb771a3cf592d46643eea35d206b9f3e1a0758f7
diff --git a/aux/broccoli b/aux/broccoli
index f83038b17f..b4d1686cdd 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit f83038b17fc83788415a58d77f75ad182ca6a9b7
+Subproject commit b4d1686cdd3f5505e405667b1083e8335cae6928
diff --git a/aux/broctl b/aux/broctl
index 583f3a3ff1..6583b0a84b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 583f3a3ff1847cf96a87f865d5cf0f36fae9dd67
+Subproject commit 6583b0a84b59a90e671d6405613c35f8502ce023
diff --git a/aux/broker b/aux/broker
index 6684ab5109..bb3f55f198 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 6684ab5109f526fb535013760f17a4c8dff093ae
+Subproject commit bb3f55f198f9cfd5e545345dd6425dd08ca1d45e

From f98561b85c88191a7cf4fdef0124caad89fdb48b Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 28 Apr 2016 11:29:00 -0700
Subject: [PATCH 16/17] Updating NEWS and a test baseline after merges.

---
 CHANGES                                     | 11 +++++++++++
 NEWS                                        |  2 ++
 VERSION                                     |  2 +-
 testing/btest/Baseline/plugins.hooks/output | 20 ++++++++++++++------
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5f88f92cf5..d2ead001df 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+2.4-493 | 2016-04-28 11:29:00 -0700
+
+  * Rename Broker::print to Broker::send_print and Broker::event to
+    Broker::send_event to avoid using reserved keywords as function
+    names. (Daniel Thayer)
+
+  * Add script wrapper functions for Broker BIFs. This faciliates
+    documenting them through Broxygen. (Daniel Thayer)
+
+  * Extend, update, and clean up Broker tests. (Daniel Thayer)
+
 2.4-485 | 2016-04-28 10:18:46 -0700
 
   * Intel: Allow to provide uid/fuid instead of conn/file. (Johanna
diff --git a/NEWS b/NEWS
index 0ee0eb6670..e87c884e72 100644
--- a/NEWS
+++ b/NEWS
@@ -96,6 +96,8 @@ Changed Functionality
 ---------------------
 
 - The BrokerComm and BrokerStore namespaces were renamed to Broker.
+  The Broker "print" function was renamed to Broker::send_print, and
+  "event" to "Broker::send_event".
 
 - ``SSH::skip_processing_after_detection`` was removed. The functionality was
   replaced by ``SSH::disable_analyzer_after_detection``.
diff --git a/VERSION b/VERSION
index f2db26a997..ca50394da0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-485
+2.4-493
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index a30a37bf95..61099efaf9 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -233,7 +233,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -354,7 +354,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -570,11 +570,13 @@
 0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/comm.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/data.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
@@ -601,6 +603,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/messaging.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/mysql) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/netcontrol) -> -1
@@ -628,6 +631,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/store.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
@@ -878,7 +882,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -999,7 +1003,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1215,11 +1219,13 @@
 0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/broker)
 0.000000   MetaHookPre   LoadFile(base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(base<...>/comm.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/communication)
 0.000000   MetaHookPre   LoadFile(base<...>/conn)
 0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
 0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
 0.000000   MetaHookPre   LoadFile(base<...>/control)
+0.000000   MetaHookPre   LoadFile(base<...>/data.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
 0.000000   MetaHookPre   LoadFile(base<...>/dir)
 0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
@@ -1246,6 +1252,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/logging)
 0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/main)
+0.000000   MetaHookPre   LoadFile(base<...>/messaging.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/modbus)
 0.000000   MetaHookPre   LoadFile(base<...>/mysql)
 0.000000   MetaHookPre   LoadFile(base<...>/netcontrol)
@@ -1273,6 +1280,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/software)
 0.000000   MetaHookPre   LoadFile(base<...>/ssh)
 0.000000   MetaHookPre   LoadFile(base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(base<...>/store.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/strings)
 0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
@@ -1522,7 +1530,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1643,7 +1651,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()

From cc54b3772a08071bc24aebf53f3e03c3b64bedbb Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 28 Apr 2016 20:13:44 -0700
Subject: [PATCH 17/17] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 6583b0a84b..7df7878abf 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 6583b0a84b59a90e671d6405613c35f8502ce023
+Subproject commit 7df7878abfd864f9ae5609918c0f04f58b5f5e2d