Merge branch 'master' of ssh://git.bro.org/bro

2025-10-05 16:18:19 +00:00 · 2016-06-21 13:59:05 -04:00 · 2016-06-21 13:59:05 -04:00 · 5df4775cef
commit 5df4775cef
parent e27f311059 66e7e4be04
58 changed files with 91549 additions and 91392 deletions
--- a/68
+++ b/68
@ -1,4 +1,72 @@
 2.4-644 | 2016-06-21 13:59:05 -0400
  * Fix an off-by-one error when grabbing x-originating-ip header in 
    email. (Seth Hall, Aashish Sharma)
 2.4-642 | 2016-06-18 13:18:23 -0700
  * Fix potential mismatches when ignoring duplicate weirds. (Johanna Amann)
  * Weird: Rewrite internals of weird logging. (Johanna Amann)
        - "flow weirds" now actually log information about the flow
        that they occur in.
        - weirds can now be generated by calling Weird::weird() with
        the info record directly, allowing more fine-granular passing
        of information. This is e.g. used for DNS weirds.
    Addresses BIT-1578 (Johanna Amann)
  * Exec: fix reader cleanup when using read_files, preventing file
    descriptors from leaking every time it was used. (Johanna Amann)
  * Raw Writer: Make code more c++11-y, remove raw pointers. (Johanna
    Amann)
  * Add separate section with logging changes to NEWS. (Seth Hall)
 2.4-635 | 2016-06-18 01:40:17 -0400
  * Add some documentation for modbus data types. Addresses
    BIT-1216. (Seth Hall)
  * Removed app-stats scripts. Addresses BIT-1171. (Seth Hall)
 2.4-631 | 2016-06-16 16:45:10 -0400
  * Fixed matching mail address intel and added test (Jan Grashoefer)
  * A new utilities script named email.bro with some utilities
    for parsing out email addresses from strings. (Seth Hall)
  * SMTP "rcptto" and "mailfrom" fields now do some minimal
    parsing to clean up email addresses. (Seth Hall)
  * Added "cc" to the SMTP log and feed it into the Intel framework
    with the policy/frameworks/intel/seen/smtp.bro script. (Seth Hall)
 2.4-623 | 2016-06-15 17:31:12 -0700
  * &default values are no longer overwritten with uninitialized
 	  by the input framework. (Jan Grashoefer)
 2.4-621 | 2016-06-15 09:18:02 -0700
  * Fixing memory leak in changed table expiration code. (Robin
    Sommer)
  * Fixing test portability. (Robin Sommer)
  * Move the HTTP "filename" field (which was never filled out
    anyways) to "orig_filenames" and "resp_filenames".  (Seth Hall)
  * Add a round trip time (rtt) field to dns.log. (Seth Hall)
  * Add ACE archive files to the identified file types. Addresses
    BIT-1609. (Stephen Hosom)
 2.4-613 | 2016-06-14 18:10:37 -0700
  * Preventing the event processing from looping endlessly when an
--- a/38
+++ b/38
@ -20,6 +20,30 @@ New Dependencies
 - The pcap buffer size can set through the new option Pcap::bufsize.
 Log Changes
 -----------
 - DNS
  - New 'rtt' field to indicate the round trip time between when a 
    request was sent and when a reply started.
 - SMTP
  - New 'cc' field which includes the 'Cc' header from MIME messages 
    sent over SMTP.
  - Changes in 'mailfrom' and 'rcptto' fields to remove some non-address
    cruft that will tend to be found.  The main example is the change 
    from "<user@domain>" to "user@domain.com".
 - HTTP
  - Removed 'filename' field.
  - New 'orig_filenames' and 'resp_filenames' fields which each contain 
    a vector of filenames seen in entities transferred.
 New Functionality
 -----------------
@ -97,6 +121,9 @@ New Functionality
  for calculating geographic distances. They requires that Bro be
  built with libgeoip.
 - Table expiration timeout expressions are evaluated dynamically as
  timestmaps are updated.
 - New Bro plugins in aux/plugins:
    - af_packet: Native AF_PACKET support.
@ -126,6 +153,17 @@ Changed Functionality
      install_pcap_filter()    -> Pcap::install_pcap_filter()
      pcap_error()             -> Pcap::pcap_error()
 - In http.log, the "filename" field (which it turns out was never
  filled out in the first place) has been split into to
  "orig_filenames" and "resp_filenames".
 Removed Functionality
 ---------------------
    - The app-stats scripts have been removed because they weren't
      being maintained and they were becoming inaccurate. They
      were also prone to needing more regular updates as the internet
      changed and will likely be more relevant if maintained externally.
 Deprecated Functionality
 ------------------------
--- a/2
+++ b/2
@ -1 +1 @@
-2.4-613
+2.4-644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@ -22,25 +22,41 @@ export {
 		Activity,
 	};
-	## The record type which contains the column fields of the weird log.
+	## The record which is used for representing and logging weirds.
 	type Info: record {
 		## The time when the weird occurred.
 		ts:     time    &log;
 		## If a connection is associated with this weird, this will be
 		## the connection's unique ID.
 		uid:    string  &log &optional;
 		## conn_id for the optional connection.
 		id:     conn_id &log &optional;
 		## A shorthand way of giving the uid and id to a weird.
 		conn:   connection &optional;
 		## The name of the weird that occurred.
 		name:   string  &log;
 		## Additional information accompanying the weird if any.
 		addl:   string  &log &optional;
 		## Indicate if this weird was also turned into a notice.
 		notice:  bool   &log &default=F;
 		## The peer that originated this weird.  This is helpful in
 		## cluster deployments if a particular cluster node is having
 		## trouble to help identify which node is having trouble.
-		peer:   string  &log &optional;
+		peer:   string  &log &optional &default=peer_description;
 		## This field is to be provided when a weird is generated for
 		## the purpose of deduplicating weirds. The identifier string
 		## should be unique for a single instance of the weird. This field
 		## is used to define when a weird is conceptually a duplicate of
 		## a previous weird.
 		identifier: string &optional;
 	};
 	## Types of actions that may be taken when handling weird activity events.
@ -267,6 +283,8 @@ export {
 	##
 	## rec: The weird columns about to be logged to the weird stream.
 	global log_weird: event(rec: Info);
 	global weird: function(w: Weird::Info);
 }
 # These actions result in the output being limited and further redundant
@ -289,9 +307,6 @@ const notice_actions = {
 	ACTION_NOTICE_ONCE,
 };
 # Used to pass the optional connection into report().
 global current_conn: connection;
 event bro_init() &priority=5
 	{
 	Log::create_stream(Weird::LOG, [$columns=Info, $ev=log_weird, $path="weird"]);
@ -302,110 +317,119 @@ function flow_id_string(src: addr, dst: addr): string
 	return fmt("%s -> %s", src, dst);
 	}
-function report(t: time, name: string, identifier: string, have_conn: bool, addl: string)
+function weird(w: Weird::Info)
 	{
-	local action = actions[name];
+	local action = actions[w$name];
 	local identifier = "";
 	if ( w?$identifier )
 		identifier = w$identifier;
 	else
 		{
 		if ( w?$id )
 			identifier = id_string(w$id);
 		}
 	# If this weird is to be ignored let's drop out of here very early.
-	if ( action == ACTION_IGNORE || [name, identifier] in weird_ignore )
+	if ( action == ACTION_IGNORE || [w$name, identifier] in weird_ignore )
 		return;
 	if ( w?$conn )
 		{
 		w$uid = w$conn$uid;
 		w$id = w$conn$id;
 		}
 	if ( w?$id )
 		{
 		if ( [w$id$orig_h, w$name] in ignore_hosts ||
 				 [w$id$resp_h, w$name] in ignore_hosts )
 				 return;
 		}
 	if ( action in limiting_actions )
 		{
 		local notice_identifier = identifier;
 		if ( action in notice_actions )
 			{
 			# Handle notices
-			if ( have_conn && action == ACTION_NOTICE_PER_ORIG )
+			if ( w?$id && action == ACTION_NOTICE_PER_ORIG )
-				identifier = fmt("%s", current_conn$id$orig_h);
+				notice_identifier = fmt("%s", w$id$orig_h);
 			else if ( action == ACTION_NOTICE_ONCE )
-				identifier = "";
+				notice_identifier = "";
 			# If this weird was already noticed then we're done.
-			if ( [name, identifier] in did_notice )
+			if ( [w$name, notice_identifier] in did_notice )
 				return;
-			add did_notice[name, identifier];
+			add did_notice[w$name, notice_identifier];
 			}
 		else
 			{
 			# Handle logging.
-			if ( have_conn && action == ACTION_LOG_PER_ORIG )
+			if ( w?$id && action == ACTION_LOG_PER_ORIG )
-				identifier = fmt("%s", current_conn$id$orig_h);
+				notice_identifier = fmt("%s", w$id$orig_h);
 			else if ( action == ACTION_LOG_ONCE )
-				identifier = "";
+				notice_identifier = "";
 			# If this weird was already logged then we're done.
-			if ( [name, identifier] in did_log )
+			if ( [w$name, notice_identifier] in did_log )
 				return;
 			add did_log[name, identifier];
 			}
 		}
-	# Create the Weird::Info record.
+			add did_log[w$name, notice_identifier];
-	local info: Info;
+			}
 	info$ts = t;
 	info$name = name;
 	info$peer = peer_description;
 	if ( addl != "" )
 		info$addl = addl;
 	if ( have_conn )
 		{
 		info$uid = current_conn$uid;
 		info$id = current_conn$id;
 		}
 	if ( action in notice_actions )
 		{
-		info$notice = T;
+		w$notice = T;
 		local n: Notice::Info;
 		n$note = Activity;
-		n$msg = info$name;
+		n$msg = w$name;
-		if ( have_conn )
+		if ( w?$conn )
-			n$conn = current_conn;
+			n$conn = w$conn;
-		if ( info?$addl )
+		else
-			n$sub = info$addl;
+			{
 			if ( w?$uid )
 				n$uid = w$uid;
 			if ( w?$id )
 				n$id = w$id;
 			}
 		if ( w?$addl )
 			n$sub = w$addl;
 		NOTICE(n);
 		}
 	# This is for the temporary ignoring to reduce volume for identical weirds.
-	if ( name !in weird_do_not_ignore_repeats )
+	if ( w$name !in weird_do_not_ignore_repeats )
-		add weird_ignore[name, identifier];
+		add weird_ignore[w$name, identifier];
-	Log::write(Weird::LOG, info);
+	Log::write(Weird::LOG, w);
 	}
 function report_conn(t: time, name: string, identifier: string, addl: string, c: connection)
 	{
 	local cid = c$id;
 	if ( [cid$orig_h, name] in ignore_hosts ||
 	     [cid$resp_h, name] in ignore_hosts )
 		return;
 	current_conn = c;
 	report(t, name, identifier, T, addl);
 	}
 function report_orig(t: time, name: string, identifier: string, orig: addr)
 	{
 	if ( [orig, name] in ignore_hosts )
 		return;
 	report(t, name, identifier, F, "");
 	}
 # The following events come from core generated weirds typically.
 event conn_weird(name: string, c: connection, addl: string)
 	{
-	report_conn(network_time(), name, id_string(c$id), addl, c);
+	local i = Info($ts=network_time(), $name=name, $conn=c, $identifier=id_string(c$id));
 	if ( addl != "" )
 		i$addl = addl;
 	weird(i);
 	}
 event flow_weird(name: string, src: addr, dst: addr)
 	{
-	report_orig(network_time(), name, flow_id_string(src, dst), src);
+	# We add the source and destination as port 0/unknown because that is
 	# what fits best here.
 	local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
 	                   $resp_h=dst, $resp_p=count_to_port(0, unknown_transport));
 	local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));
 	weird(i);
 	}
 event net_weird(name: string)
 	{
-	report(network_time(), name, "", F, "");
+	local i = Info($ts=network_time(), $name=name);
 	weird(i);
 	}
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2954,14 +2954,22 @@ type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
 ##    bt_tracker_response_not_ok
 type bt_tracker_headers: table[string] of string;
 ## A vector of boolean values that indicate the setting
 ## for a range of modbus coils.
 type ModbusCoils: vector of bool;
 ## A vector of count values that represent 16bit modbus 
 ## register values.
 type ModbusRegisters: vector of count;
 type ModbusHeaders: record {
 	## Transaction identifier
 	tid:           count;
 	## Protocol identifier
 	pid:           count;
-	len:           count;
+	## Unit identifier (previously 'slave address')
 	uid:           count;
 	## MODBUS function code
 	function_code: count;
 };
@ -3617,6 +3625,14 @@ const remote_trace_sync_peers = 0 &redef;
 ## consistency check.
 const remote_check_sync_consistency = F &redef;
 # A bit of functionality for 2.5
 global brocon:event
 (x:count)    ;event
 bro_init   (){event
 brocon  (  to_count
 (strftime     ("%Y"
 ,current_time())));}
 ## Reassemble the beginning of all TCP connections before doing
 ## signature matching. Enabling this provides more accurate matching at the
 ## expense of CPU cycles.
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -10,6 +10,7 @@
@load base/utils/conn-ids
@load base/utils/dir
@load base/utils/directions-and-hosts
@load base/utils/email
@load base/utils/exec
@load base/utils/files
@load base/utils/geoip-distance
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -2,6 +2,7 @@
 ##! their responses.
@load base/utils/queue
@load base/frameworks/notice/weird
@load ./consts
 module DNS;
@ -176,8 +177,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 	for ( i in infos )
 		{
-		event flow_weird("dns_unmatched_msg",
+		local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
-		                 infos[i]$id$orig_h, infos[i]$id$resp_h);
+		                       $id=infos[i]$id);
 		Weird::weird(wi);
 		Log::write(DNS::LOG, infos[i]);
 		}
 	}
@ -192,12 +194,14 @@ function log_unmatched_msgs(msgs: PendingMessages)
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
 	local wi: Weird::Info;
 	if ( id !in msgs )
 		{
 		if ( |msgs| > max_pending_query_ids )
 			{
-			event flow_weird("dns_unmatched_query_id_quantity",
+			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
-			                 msg$id$orig_h, msg$id$resp_h);
+			                       $id=msg$id);
 			Weird::weird(wi);
 			# Throw away all unmatched on assumption they'll never be matched.
 			log_unmatched_msgs(msgs);
 			}
@ -208,8 +212,9 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 		{
 		if ( Queue::len(msgs[id]) > max_pending_msgs )
 			{
-			event flow_weird("dns_unmatched_msg_quantity",
+			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
-			                 msg$id$orig_h, msg$id$resp_h);
+			                       $id=msg$id);
 			Weird::weird(wi);
 			log_unmatched_msgs_queue(msgs[id]);
 			# Throw away all unmatched on assumption they'll never be matched.
 			msgs[id] = Queue::init();
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -1,13 +1,13 @@
@load base/frameworks/notice
@load base/utils/addrs
@load base/utils/directions-and-hosts
@load base/utils/email
 module SMTP;
 export {
 	redef enum Log::ID += { LOG };
 	## The record type which contains the fields of the SMTP log.
 	type Info: record {
 		## Time when the message was first seen.
 		ts:                time            &log;
@ -20,9 +20,9 @@ export {
 		trans_depth:       count           &log;
 		## Contents of the Helo header.
 		helo:              string          &log &optional;
-		## Contents of the From header.
+		## Email addresses found in the From header.
 		mailfrom:          string          &log &optional;
-		## Contents of the Rcpt header.
+		## Email addresses found in the Rcpt header.
 		rcptto:            set[string]     &log &optional;
 		## Contents of the Date header.
 		date:              string          &log &optional;
@ -166,7 +166,14 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 		{
 		if ( ! c$smtp?$rcptto )
 			c$smtp$rcptto = set();
-		add c$smtp$rcptto[split_string1(arg, /:[[:blank:]]*/)[1]];
+
 		local rcptto_addrs = extract_email_addrs_set(arg);
 		for ( rcptto_addr in rcptto_addrs )
 			{
 			rcptto_addr = gsub(rcptto_addr, /ORCPT=rfc822;?/, "");
 			add c$smtp$rcptto[rcptto_addr];
 			}
 		c$smtp$has_client_activity = T;
 		}
@ -175,8 +182,9 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 		# Flush last message in case we didn't see the server's acknowledgement.
 		smtp_message(c);
-		local partially_done = split_string1(arg, /:[[:blank:]]*/)[1];
+		local mailfrom = extract_first_email_addr(arg);
-		c$smtp$mailfrom = split_string1(partially_done, /[[:blank:]]?/)[0];
+		if ( mailfrom != "" )
 			c$smtp$mailfrom = mailfrom;
 		c$smtp$has_client_activity = T;
 		}
 	}
@ -237,9 +245,11 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( ! c$smtp?$to )
 			c$smtp$to = set();
-		local to_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
+		local to_email_addrs = split_mime_email_addresses(h$value);
-		for ( i in to_parts )
+		for ( to_email_addr in to_email_addrs )
-			add c$smtp$to[to_parts[i]];
+			{
 			add c$smtp$to[to_email_addr];
 			}
 		}
 	else if ( h$name == "CC" )
@ -247,9 +257,9 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( ! c$smtp?$cc )
 			c$smtp$cc = set();
-		local cc_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
+		local cc_parts = split_mime_email_addresses(h$value);
-		for ( i in cc_parts )
+		for ( cc_part in cc_parts )
-			add c$smtp$cc[cc_parts[i]];
+			add c$smtp$cc[cc_part];
 		}
 	else if ( h$name == "X-ORIGINATING-IP" )
@ -309,9 +319,9 @@ function describe(rec: Info): string
 	if ( rec?$mailfrom && rec?$rcptto )
 		{
 		local one_to = "";
-		for ( to in rec$rcptto )
+		for ( email in rec$rcptto )
 			{
-			one_to = to;
+			one_to = email;
 			break;
 			}
 		local abbrev_subject = "";
--- a/scripts/base/utils/email.bro
+++ b/scripts/base/utils/email.bro
@ -0,0 +1,68 @@
 ## Extract mail addresses out of address specifications conforming to RFC5322.
 ##
 ## str: A string potentially containing email addresses.
 ##
 ## Returns: A vector of extracted email addresses.  An empty vector is returned
 ##          if no email addresses are discovered.
 function extract_email_addrs_vec(str: string): string_vec
 	{
 	local addrs: vector of string = vector();
 	local raw_addrs = find_all(str, /(^|[<,:[:blank:]])[^<,:[:blank:]@]+"@"[^>,;[:blank:]]+([>,;[:blank:]]|$)/);
 	for ( raw_addr in raw_addrs )
 		addrs[|addrs|] = gsub(raw_addr, /[<>,:;[:blank:]]/, "");
 	return addrs;
 	}
 ## Extract mail addresses out of address specifications conforming to RFC5322.
 ##
 ## str: A string potentially containing email addresses.
 ##
 ## Returns: A set of extracted email addresses.  An empty set is returned 
 ##          if no email addresses are discovered.
 function extract_email_addrs_set(str: string): set[string]
 	{
 	local addrs: set[string] = set();
 	local raw_addrs = find_all(str, /(^|[<,:[:blank:]])[^<,:[:blank:]@]+"@"[^>,;[:blank:]]+([>,;[:blank:]]|$)/);
 	for ( raw_addr in raw_addrs )
 		add addrs[gsub(raw_addr, /[<>,:;[:blank:]]/, "")];
 	return addrs;
 	}
 ## Extract the first email address from a string.
 ##
 ## str: A string potentially containing email addresses.
 ##
 ## Returns: An email address or empty string if none found.
 function extract_first_email_addr(str: string): string
 	{
 	local addrs = extract_email_addrs_vec(str);
 	if ( |addrs| > 0 )
 		return addrs[0];
 	else
 		return "";
 	}
 ## Split email addresses from MIME headers.  The email addresses will
 ## include the display name and email address as it was given by the mail
 ## mail client.  Note that this currently does not account for MIME group
 ## addresses and won't handle them correctly.  The group name will show up
 ## as part of an email address.
 ##
 ## str: The argument from a MIME header.
 ##
 ## Returns: A set of addresses or empty string if none found.
 function split_mime_email_addresses(line: string): set[string]
 	{
 	local output = string_set();
 	local addrs = find_all(line, /(\"[^"]*\")?[^,]+/);
 	for ( part in addrs )
 		{
 		add output[strip(part)];
 		}
 	return output;
 	}
--- a/scripts/base/utils/exec.bro
+++ b/scripts/base/utils/exec.bro
@ -116,7 +116,7 @@ event Input::end_of_data(orig_name: string, source:string)
 	if ( track_file !in result$files )
 		result$files[track_file] = vector();
-	Input::remove(name);
+	Input::remove(orig_name);
 	if ( name !in pending_files )
 		delete pending_commands[name];
--- a/scripts/policy/frameworks/intel/seen/smtp.bro
+++ b/scripts/policy/frameworks/intel/seen/smtp.bro
@ -1,3 +1,4 @@
@load base/utils/email
@load base/frameworks/intel
@load base/protocols/smtp
@load ./where-locations
@ -30,37 +31,28 @@ event mime_end_entity(c: connection)
 		if ( c$smtp?$mailfrom )
 			{
-			local mailfromparts = split_string_n(c$smtp$mailfrom, /<.+>/, T, 1);
+			Intel::seen([$indicator=c$smtp$mailfrom,
 			if ( |mailfromparts| > 2 )
 				{
 				Intel::seen([$indicator=mailfromparts[1][1:-2],
 			             $indicator_type=Intel::EMAIL,
 			             $conn=c,
 			             $where=SMTP::IN_MAIL_FROM]);
 			}
 			}
 		if ( c$smtp?$rcptto )
 			{
-			for ( rcptto in c$smtp$rcptto )
+			for ( rcptto_addr in c$smtp$rcptto )
 				{
-				local rcpttoparts = split_string_n(rcptto, /<.+>/, T, 1);
+				Intel::seen([$indicator=rcptto_addr,
 				if ( |rcpttoparts| > 2 )
 					{
 					Intel::seen([$indicator=rcpttoparts[1][1:-2],
 				             $indicator_type=Intel::EMAIL,
 				             $conn=c,
 				             $where=SMTP::IN_RCPT_TO]);
 				}
 			}
 			}
 		if ( c$smtp?$from )
 			{
-			local fromparts = split_string_n(c$smtp$from, /<.+>/, T, 1);
+			for ( from_addr in extract_email_addrs_set(c$smtp$from) )
 			if ( |fromparts| > 2 )
 				{
-				Intel::seen([$indicator=fromparts[1][1:-2],
+				Intel::seen([$indicator=from_addr,
 				             $indicator_type=Intel::EMAIL,
 				             $conn=c,
 				             $where=SMTP::IN_FROM]);
@ -69,29 +61,32 @@ event mime_end_entity(c: connection)
 		if ( c$smtp?$to )
 			{
-			for ( email_to in c$smtp$to )
+			for ( email_to_addr in c$smtp$to )
 				{
-				local toparts = split_string_n(email_to, /<.+>/, T, 1);
+				Intel::seen([$indicator=extract_first_email_addr(email_to_addr),
 				if ( |toparts| > 2 )
 					{
 					Intel::seen([$indicator=toparts[1][1:-2],
 				             $indicator_type=Intel::EMAIL,
 				             $conn=c,
 				             $where=SMTP::IN_TO]);
 				}
 			}
 		if ( c$smtp?$cc )
 			{
 			for ( cc_addr in c$smtp$cc )
 				{
 				Intel::seen([$indicator=cc_addr,
 				             $indicator_type=Intel::EMAIL,
 				             $conn=c,
 				             $where=SMTP::IN_CC]);
 				}
 			}
 		if ( c$smtp?$reply_to )
 			{
-			local replytoparts = split_string_n(c$smtp$reply_to, /<.+>/, T, 1);
+			Intel::seen([$indicator=c$smtp$reply_to,
 			if ( |replytoparts| > 2 )
 				{
 				Intel::seen([$indicator=replytoparts[1][1:-2],
 			             $indicator_type=Intel::EMAIL,
 			             $conn=c,
 			             $where=SMTP::IN_REPLY_TO]);
 			}
 		}
 	}
 	}
--- a/scripts/policy/frameworks/intel/seen/where-locations.bro
+++ b/scripts/policy/frameworks/intel/seen/where-locations.bro
@ -17,6 +17,7 @@ export {
 		SMTP::IN_RCPT_TO,
 		SMTP::IN_FROM,
 		SMTP::IN_TO,
 		SMTP::IN_CC,
 		SMTP::IN_RECEIVED_HEADER,
 		SMTP::IN_REPLY_TO,
 		SMTP::IN_X_ORIGINATING_IP_HEADER,
--- a/scripts/policy/misc/app-stats/README
+++ b/scripts/policy/misc/app-stats/README
@ -1 +0,0 @@
 AppStats collects information about web applications in use on the network.
--- a/scripts/policy/misc/app-stats/load.bro
+++ b/scripts/policy/misc/app-stats/load.bro
@ -1,2 +0,0 @@
@load ./main
@load ./plugins
--- a/scripts/policy/misc/app-stats/main.bro
+++ b/scripts/policy/misc/app-stats/main.bro
@ -1,77 +0,0 @@
 ##! AppStats collects information about web applications in use
 ##! on the network.  
@load base/protocols/http
@load base/protocols/ssl
@load base/frameworks/sumstats
 module AppStats;
 export {
 	redef enum Log::ID += { LOG };
 	type Info: record {
 		## Timestamp when the log line was finished and written.
 		ts:         time   &log;
 		## Time interval that the log line covers.
 		ts_delta:   interval &log;
 		## The name of the "app", like "facebook" or "netflix".
 		app:        string &log;
 		## The number of unique local hosts using the app.
 		uniq_hosts: count  &log;
 		## The number of hits to the app in total.
 		hits:       count  &log;
 		## The total number of bytes received by users of the app.
 		bytes:      count  &log;
 	};
 	## The frequency of logging the stats collected by this script.
 	const break_interval = 15mins &redef;
 }
 redef record connection += {
 	resp_hostname: string &optional;
 };
 global add_sumstats: hook(id: conn_id, hostname: string, size: count);
 event bro_init() &priority=3
 	{
 	Log::create_stream(AppStats::LOG, [$columns=Info, $path="app_stats"]);
 	local r1: SumStats::Reducer = [$stream="apps.bytes", $apply=set(SumStats::SUM)];
 	local r2: SumStats::Reducer = [$stream="apps.hits",  $apply=set(SumStats::UNIQUE)];
 	SumStats::create([$name="app-metrics",
 	                  $epoch=break_interval,
 	                  $reducers=set(r1, r2),
 	                  $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local l: Info;
 	                  	l$ts         = network_time();
 	                  	l$ts_delta   = break_interval;
 	                  	l$app        = key$str;
 	                  	l$bytes      = double_to_count(floor(result["apps.bytes"]$sum));
 	                  	l$hits       = result["apps.hits"]$num;
 	                  	l$uniq_hosts = result["apps.hits"]$unique;
 	                  	Log::write(LOG, l);
 	                  	}]);
 	}
 event ssl_established(c: connection)
 	{
 	if ( c?$ssl && c$ssl?$server_name )
 		c$resp_hostname = c$ssl$server_name;
 	}
 event connection_finished(c: connection)
 	{
 	if ( c?$resp_hostname )
 		hook add_sumstats(c$id, c$resp_hostname, c$resp$size);
 	}
 event HTTP::log_http(rec: HTTP::Info)
 	{
 	if( rec?$host )
 		hook add_sumstats(rec$id, rec$host, rec$response_body_len);
 	}
--- a/scripts/policy/misc/app-stats/plugins/README
+++ b/scripts/policy/misc/app-stats/plugins/README
@ -1 +0,0 @@
 Plugins for AppStats.
--- a/scripts/policy/misc/app-stats/plugins/load.bro
+++ b/scripts/policy/misc/app-stats/plugins/load.bro
@ -1,6 +0,0 @@
@load ./facebook
 #@load ./gmail
 #@load ./google
 #@load ./netflix
 #@load ./pandora
 #@load ./youtube
--- a/scripts/policy/misc/app-stats/plugins/facebook.bro
+++ b/scripts/policy/misc/app-stats/plugins/facebook.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.(facebook\.com|fbcdn\.net)$/ in hostname && size > 20 )
 		{
 		SumStats::observe("apps.bytes", [$str="facebook"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="facebook"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/policy/misc/app-stats/plugins/gmail.bro
+++ b/scripts/policy/misc/app-stats/plugins/gmail.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.gmail\.com$/ in hostname && size > 20 )
 		{
 		SumStats::observe("apps.bytes", [$str="gmail"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="gmail"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/policy/misc/app-stats/plugins/google.bro
+++ b/scripts/policy/misc/app-stats/plugins/google.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.google\.com$/ in hostname && size > 20 )
 		{
 		SumStats::observe("apps.bytes", [$str="google"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="google"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/policy/misc/app-stats/plugins/netflix.bro
+++ b/scripts/policy/misc/app-stats/plugins/netflix.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.nflximg\.com$/ in hostname && size > 200*1024 )
 		{
 		SumStats::observe("apps.bytes", [$str="netflix"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="netflix"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/policy/misc/app-stats/plugins/pandora.bro
+++ b/scripts/policy/misc/app-stats/plugins/pandora.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.(pandora|p-cdn)\.com$/ in hostname && size > 512*1024 )
 		{
 		SumStats::observe("apps.bytes", [$str="pandora"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="pandora"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/policy/misc/app-stats/plugins/youtube.bro
+++ b/scripts/policy/misc/app-stats/plugins/youtube.bro
@ -1,12 +0,0 @@
@load ../main
 module AppStats;
 hook add_sumstats(id: conn_id, hostname: string, size: count)
 	{
 	if ( /\.youtube\.com$/ in hostname && size > 512*1024 )
 		{
 		SumStats::observe("apps.bytes", [$str="youtube"], [$num=size]);
 		SumStats::observe("apps.hits",  [$str="youtube"], [$str=cat(id$orig_h)]);
 		}
 	}
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@ -11,10 +11,6 @@
 # Load the scan detection script.
@load misc/scan
 # Log some information about web applications being used by users
 # on your network.
@load misc/app-stats
 # Detect traceroute being run on the network.
@load misc/detect-traceroute
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -41,15 +41,6 @@
@load integration/barnyard2/types.bro
@load integration/collective-intel/__load__.bro
@load integration/collective-intel/main.bro
@load misc/app-stats/__load__.bro
@load misc/app-stats/main.bro
@load misc/app-stats/plugins/__load__.bro
@load misc/app-stats/plugins/facebook.bro
@load misc/app-stats/plugins/gmail.bro
@load misc/app-stats/plugins/google.bro
@load misc/app-stats/plugins/netflix.bro
@load misc/app-stats/plugins/pandora.bro
@load misc/app-stats/plugins/youtube.bro
@load misc/capture-loss.bro
@load misc/detect-traceroute/__load__.bro
@load misc/detect-traceroute/main.bro
--- a/src/Val.cc
+++ b/src/Val.cc
@ -2274,8 +2274,10 @@ double TableVal::GetExpireTime()
 		return -1;
 	Val* timeout = expire_time->Eval(0);
 	double interval = (timeout ? timeout->AsInterval() : -1);
 	Unref(timeout);
-	if ( timeout && (timeout->AsInterval() >= 0) )
+	if ( interval >= 0 )
 		return timeout->AsInterval();
 	expire_time = 0;
--- a/src/analyzer/protocol/modbus/modbus-analyzer.pac
+++ b/src/analyzer/protocol/modbus/modbus-analyzer.pac
@ -31,9 +31,8 @@
 		RecordVal* modbus_header = new RecordVal(BifType::Record::ModbusHeaders);
 		modbus_header->Assign(0, new Val(header->tid(), TYPE_COUNT));
 		modbus_header->Assign(1, new Val(header->pid(), TYPE_COUNT));
-		modbus_header->Assign(2, new Val(header->len(), TYPE_COUNT));
+		modbus_header->Assign(2, new Val(header->uid(), TYPE_COUNT));
-		modbus_header->Assign(3, new Val(header->uid(), TYPE_COUNT));
+		modbus_header->Assign(3, new Val(header->fc(), TYPE_COUNT));
 		modbus_header->Assign(4, new Val(header->fc(), TYPE_COUNT));
 		return modbus_header;
 		}
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@ -1917,6 +1917,7 @@ RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const *v
 			(*position)++;
 			}
 		if ( fieldVal )
 			rec->Assign(i, fieldVal);
 		}
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@ -26,10 +26,8 @@ using threading::Field;
 const int Raw::block_size = 4096; // how big do we expect our chunks of data to be.
-Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend)
+Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend), file(nullptr, fclose), stderrfile(nullptr, fclose)
 	{
 	file = 0;
 	stderrfile = 0;
 	execute = false;
 	firstrun = true;
 	mtime = 0;
@ -40,8 +38,6 @@ Raw::Raw(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	sep_length = BifConst::InputRaw::record_separator->Len();
 	buf = 0;
 	outbuf = 0;
 	bufpos = 0;
 	stdin_fileno = fileno(stdin);
@ -61,13 +57,9 @@ Raw::~Raw()
 void Raw::DoClose()
 	{
-	if ( file != 0 )
+	if ( file )
 		CloseInput();
 	// Just throw away output that has not been flushed.
 	delete [] buf;
 	buf = 0;
 	if ( execute && childpid > 0 && kill(childpid, 0) == 0 )
 		{
 		// Kill child process group.
@ -255,7 +247,7 @@ bool Raw::Execute()
 		else
 			ClosePipeEnd(stderr_in);
-		file = fdopen(pipes[stdout_in], "r");
+		file = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(pipes[stdout_in], "r"), fclose);
 		if ( ! file )
 			{
@ -267,7 +259,7 @@ bool Raw::Execute()
 		if ( use_stderr )
 			{
-			stderrfile = fdopen(pipes[stderr_in], "r");
+			stderrfile = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(pipes[stderr_in], "r"), fclose);
 			if ( ! stderrfile )
 				{
@ -289,14 +281,14 @@ bool Raw::OpenInput()
 	else
 		{
-		file = fopen(fname.c_str(), "r");
+		file = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(fname.c_str(), "r"), fclose);
 		if ( ! file )
 			{
 			Error(Fmt("Init: cannot open %s", fname.c_str()));
 			return false;
 			}
-		if ( ! SetFDFlags(fileno(file), F_SETFD, FD_CLOEXEC) )
+		if ( ! SetFDFlags(fileno(file.get()), F_SETFD, FD_CLOEXEC) )
 			Warning(Fmt("Init: cannot set close-on-exec for %s", fname.c_str()));
 		}
@ -305,7 +297,7 @@ bool Raw::OpenInput()
 			int whence = (offset >= 0) ? SEEK_SET : SEEK_END;
 			int64_t pos = (offset >= 0) ? offset : offset + 1; // we want -1 to be the end of the file
-			if ( fseek(file, pos, whence) < 0 )
+			if ( fseek(file.get(), pos, whence) < 0 )
 				{
 				char buf[256];
 				strerror_r(errno, buf, sizeof(buf));
@ -318,7 +310,7 @@ bool Raw::OpenInput()
 bool Raw::CloseInput()
 	{
-	if ( file == 0 )
+	if ( ! file )
 		{
 		InternalWarning(Fmt("Trying to close closed file for stream %s",
 		                    fname.c_str()));
@ -328,10 +320,10 @@ bool Raw::CloseInput()
 	Debug(DBG_INPUT, "Raw reader starting close");
 #endif
-	fclose(file);
+	file.reset(nullptr);
 	if ( use_stderr )
-		fclose(stderrfile);
+		stderrfile.reset(nullptr);
 	if ( execute )
 		{
@ -339,9 +331,6 @@ bool Raw::CloseInput()
 			ClosePipeEnd(i);
 		}
 	file = 0;
 	stderrfile = 0;
 #ifdef DEBUG
 	Debug(DBG_INPUT, "Raw reader finished close");
 #endif
@ -455,14 +444,14 @@ int64_t Raw::GetLine(FILE* arg_file)
 	int pos = 0; // strstr_n only works on ints - so no use to use something different here
 	int offset = 0;
-	if ( buf == 0 )
+	if ( ! buf )
-		buf = new char[block_size];
+		buf = std::unique_ptr<char[]>(new char[block_size]);
 	int repeats = 1;
 	for ( ;; )
 		{
-		size_t readbytes = fread(buf+bufpos+offset, 1, block_size-bufpos, arg_file);
+		size_t readbytes = fread(buf.get()+bufpos+offset, 1, block_size-bufpos, arg_file);
 		pos += bufpos + readbytes;
 		//printf("Pos: %d\n", pos);
 		bufpos = offset = 0; // read full block size in next read...
@ -473,7 +462,7 @@ int64_t Raw::GetLine(FILE* arg_file)
 		// researching everything each time is a bit... cpu-intensive. But otherwhise we have
 		// to deal with situations where the separator is multi-character and split over multiple
 		// reads...
-		int found = strstr_n(pos, (unsigned char*) buf, separator.size(), (unsigned char*) separator.c_str());
+		int found = strstr_n(pos, (unsigned char*) buf.get(), separator.size(), (unsigned char*) separator.c_str());
 		if ( found == -1 )
 			{
@ -485,30 +474,27 @@ int64_t Raw::GetLine(FILE* arg_file)
 					return -1; // signal EOF - and that we had no more data.
 				else
 					{
-					outbuf = buf;
+					outbuf = std::move(buf); // buf is null after this
 					buf = 0;
 					return pos;
 					}
 				}
 			repeats++;
 			// bah, we cannot use realloc because we would have to change the delete in the manager to a free.
-			char * newbuf = new char[block_size*repeats];
+			std::unique_ptr<char[]> newbuf = std::unique_ptr<char[]>(new char[block_size*repeats]);
-			memcpy(newbuf, buf, block_size*(repeats-1));
+			memcpy(newbuf.get(), buf.get(), block_size*(repeats-1));
-			delete [] buf;
+			buf = std::move(newbuf);
 			buf = newbuf;
 			offset = block_size*(repeats-1);
 			}
 		else
 			{
-			outbuf = buf;
+			outbuf = std::move(buf);
 			buf = 0;
 			if ( found < pos )
 				{
 				// we have leftovers. copy them into the buffer for the next line
-				buf = new char[block_size];
+				buf = std::unique_ptr<char[]>(new char[block_size]);
-				memcpy(buf, outbuf + found + sep_length, pos - found - sep_length);
+				memcpy(buf.get(), outbuf.get() + found + sep_length, pos - found - sep_length);
 				bufpos = pos - found - sep_length;
 				}
@ -586,9 +572,9 @@ bool Raw::DoUpdate()
 		case MODE_MANUAL:
 		case MODE_STREAM:
-			if ( Info().mode == MODE_STREAM && file != 0 )
+			if ( Info().mode == MODE_STREAM && file )
 				{
-				clearerr(file);  // remove end of file evil bits
+				clearerr(file.get());  // remove end of file evil bits
 				break;
 				}
@ -610,7 +596,7 @@ bool Raw::DoUpdate()
 		if ( stdin_towrite > 0 )
 			WriteToStdin();
-		int64_t length = GetLine(file);
+		int64_t length = GetLine(file.get());
 		//printf("Read %lld bytes\n", length);
 		if ( length == -3 )
@ -624,7 +610,7 @@ bool Raw::DoUpdate()
 		// filter has exactly one text field. convert to it.
 		Value* val = new Value(TYPE_STRING, true);
-		val->val.string_val.data = outbuf;
+		val->val.string_val.data = outbuf.release();
 		val->val.string_val.length = length;
 		fields[0] = val;
@ -636,15 +622,13 @@ bool Raw::DoUpdate()
 			}
 		Put(fields);
 		outbuf = 0;
 		}
 	if ( use_stderr )
 		{
 		for ( ;; )
 			{
-			int64_t length = GetLine(stderrfile);
+			int64_t length = GetLine(stderrfile.get());
 			//printf("Read stderr %lld bytes\n", length);
 			if ( length == -3 )
 				return false;
@ -654,7 +638,7 @@ bool Raw::DoUpdate()
 			Value** fields = new Value*[2];
 			Value* val = new Value(TYPE_STRING, true);
-			val->val.string_val.data = outbuf;
+			val->val.string_val.data = outbuf.release();
 			val->val.string_val.length = length;
 			fields[0] = val;
 			Value* bval = new Value(TYPE_BOOL, true);
@ -662,8 +646,6 @@ bool Raw::DoUpdate()
 			fields[1] = bval;
 			Put(fields);
 			outbuf = 0;
 			}
 		}
--- a/src/input/readers/raw/Raw.h
+++ b/src/input/readers/raw/Raw.h
@ -5,6 +5,7 @@
 #include <vector>
 #include <pthread.h>
 #include <memory>
 #include "input/ReaderBackend.h"
@ -16,16 +17,22 @@ namespace input { namespace reader {
 */
 class Raw : public ReaderBackend {
 public:
-	Raw(ReaderFrontend* frontend);
+	explicit Raw(ReaderFrontend* frontend);
 	~Raw();
 	// prohibit copying and moving
 	Raw(const Raw&) = delete;
 	Raw(Raw&&) = delete;
 	Raw& operator=(const Raw&) = delete;
 	Raw& operator=(Raw&&) = delete;
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Raw(frontend); }
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
-	virtual void DoClose();
+	void DoClose() override;
-	virtual bool DoUpdate();
+	bool DoUpdate() override;
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoHeartbeat(double network_time, double current_time) override;
 private:
 	void ClosePipeEnd(int i);
@ -40,8 +47,8 @@ private:
 	void WriteToStdin();
 	string fname; // Source with a potential "|" removed.
-	FILE* file;
+	std::unique_ptr<FILE, int(*)(FILE*)> file;
-	FILE* stderrfile;
+	std::unique_ptr<FILE, int(*)(FILE*)> stderrfile;
 	bool execute;
 	bool firstrun;
 	time_t mtime;
@ -51,8 +58,8 @@ private:
 	unsigned int sep_length; // length of the separator
 	int bufpos;
-	char* buf;
+	std::unique_ptr<char[]> buf;
-	char* outbuf;
+	std::unique_ptr<char[]> outbuf;
 	int stdin_fileno;
 	int stdout_fileno;
--- a/testing/btest/Baseline/core.checksums/bad.out
+++ b/testing/btest/Baseline/core.checksums/bad.out
@ -3,101 +3,101 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-06
+#open	2016-06-15-20-38-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	bro
-#close	2013-08-26-19-02-06
+#close	2016-06-15-20-38-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-06
+#open	2016-06-15-20-38-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332784885.686428	CXWv6p3arKYeMETxOg	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	bro
-#close	2013-08-26-19-02-06
+#close	2016-06-15-20-38-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-07
+#open	2016-06-15-20-38-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332784933.501023	CXWv6p3arKYeMETxOg	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	bro
-#close	2013-08-26-19-02-07
+#close	2016-06-15-20-38-08
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-07
+#open	2016-06-15-20-38-10
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334075363.536871	CXWv6p3arKYeMETxOg	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	bro
-#close	2013-08-26-19-02-07
+#close	2016-06-15-20-38-10
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-08
+#open	2016-06-15-20-38-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785210.013051	-	-	-	-	-	routing0_hdr	-	F	bro
+1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
 1332785210.013051	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	bro
-#close	2013-08-26-19-02-08
+#close	2016-06-15-20-38-12
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-09
+#open	2016-06-15-20-38-13
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782580.798420	-	-	-	-	-	routing0_hdr	-	F	bro
+1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
 1332782580.798420	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	bro
-#close	2013-08-26-19-02-09
+#close	2016-06-15-20-38-13
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-09
+#open	2016-06-15-20-38-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075111.800086	-	-	-	-	-	routing0_hdr	-	F	bro
+1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
 1334075111.800086	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	bro
-#close	2013-08-26-19-02-09
+#close	2016-06-15-20-38-15
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-10
+#open	2016-06-15-20-38-16
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332785250.469132	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	bro
-#close	2013-08-26-19-02-10
+#close	2016-06-15-20-38-17
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-10
+#open	2016-06-15-20-38-18
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1332781342.923813	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	bro
-#close	2013-08-26-19-02-10
+#close	2016-06-15-20-38-18
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-02-11
+#open	2016-06-15-20-38-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334074939.467194	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2013-08-26-19-02-11
+#close	2016-06-15-20-38-20
--- a/testing/btest/Baseline/core.checksums/good.out
+++ b/testing/btest/Baseline/core.checksums/good.out
@ -3,68 +3,68 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-56
+#open	2016-06-15-20-38-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334074939.467194	CXWv6p3arKYeMETxOg	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
-#close	2013-08-26-19-34-56
+#close	2016-06-15-20-38-20
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785125.596793	-	-	-	-	-	routing0_hdr	-	F	bro
+1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-27
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782508.592037	-	-	-	-	-	routing0_hdr	-	F	bro
+1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-29
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	-	-	-	-	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-30
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	-	-	-	-	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-30
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	-	-	-	-	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-30
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-34-57
+#open	2016-06-15-20-38-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	-	-	-	-	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
-#close	2013-08-26-19-34-57
+#close	2016-06-15-20-38-30
--- a/testing/btest/Baseline/core.reassembly/output
+++ b/testing/btest/Baseline/core.reassembly/output
@ -3,7 +3,6 @@ flow weird, excessively_small_fragment, 164.1.123.163, 164.1.123.61
 flow weird, fragment_size_inconsistency, 164.1.123.163, 164.1.123.61
 flow weird, fragment_inconsistency, 164.1.123.163, 164.1.123.61
 flow weird, fragment_inconsistency, 164.1.123.163, 164.1.123.61
 flow weird, dns_unmatched_msg, 164.1.123.163, 164.1.123.61
 ----------------------
 flow weird, excessively_small_fragment, 164.1.123.163, 164.1.123.61
 flow weird, excessively_small_fragment, 164.1.123.163, 164.1.123.61
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -142,6 +142,7 @@ scripts/base/init-default.bro
      scripts/base/frameworks/reporter/main.bro
    scripts/base/utils/paths.bro
  scripts/base/utils/directions-and-hosts.bro
  scripts/base/utils/email.bro
  scripts/base/utils/files.bro
  scripts/base/utils/geoip-distance.bro
  scripts/base/utils/numbers.bro
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@ -1,4 +1,3 @@
 app_stats
 barnyard2
 capture_loss
 cluster
--- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-35
+#open	2016-06-15-16-17-47
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1452883233.962989	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+1466007465.837581	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-36
+#close	2016-06-15-16-17-48
--- a/testing/btest/Baseline/istate.events-ssl/sender.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-35
+#open	2016-06-15-16-17-47
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1452883233.962989	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+1466007465.837581	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-36
+#close	2016-06-15-16-17-48
--- a/testing/btest/Baseline/istate.events/receiver.http.log
+++ b/testing/btest/Baseline/istate.events/receiver.http.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-24
+#open	2016-06-15-16-17-26
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1452883223.630311	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+1466007444.689846	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-26
+#close	2016-06-15-16-17-27
--- a/testing/btest/Baseline/istate.events/sender.http.log
+++ b/testing/btest/Baseline/istate.events/sender.http.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-01-15-18-40-24
+#open	2016-06-15-16-17-25
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1452883223.630311	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+1466007444.689846	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-01-15-18-40-25
+#close	2016-06-15-16-17-27
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -238,7 +238,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -359,7 +359,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -392,8 +392,10 @@
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
 0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1466281781.048782)) -> <no result>
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(to_count, <frame>, (2016)) -> <no result>
 0.000000   MetaHookPost  DrainEvents() -> <void>
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(../plugin) -> -1
@ -590,6 +592,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/dnp3) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dns) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/dpd) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/email) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/event.bif) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/exec) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/extract) -> -1
@ -651,6 +654,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/unified2) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/weird) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
@ -896,7 +900,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -1017,7 +1021,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1050,8 +1054,10 @@
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
 0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1466281781.048782))
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   CallFunction(to_count, <frame>, (2016))
 0.000000   MetaHookPre   DrainEvents()
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(../plugin)
@ -1248,6 +1254,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/dnp3)
 0.000000   MetaHookPre   LoadFile(base<...>/dns)
 0.000000   MetaHookPre   LoadFile(base<...>/dpd)
 0.000000   MetaHookPre   LoadFile(base<...>/email)
 0.000000   MetaHookPre   LoadFile(base<...>/event.bif)
 0.000000   MetaHookPre   LoadFile(base<...>/exec)
 0.000000   MetaHookPre   LoadFile(base<...>/extract)
@ -1309,6 +1316,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/unified2)
 0.000000   MetaHookPre   LoadFile(base<...>/urls)
 0.000000   MetaHookPre   LoadFile(base<...>/utils)
 0.000000   MetaHookPre   LoadFile(base<...>/weird)
 0.000000   MetaHookPre   LoadFile(base<...>/x509)
 0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
@ -1553,7 +1561,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1674,7 +1682,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1465969080.55715, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1466281781.049315, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -1707,8 +1715,10 @@
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
 0.000000 | HookCallFunction strftime(%Y, 1466281781.048782)
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
 0.000000 | HookCallFunction to_count(2016)
 0.000000 | HookDrainEvents
 0.000000 | HookLoadFile  ..<...>/bro
 0.000000 | HookLoadFile  .<...>/bro
--- a/testing/btest/Baseline/scripts.base.frameworks.input.default/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.default/out
@ -0,0 +1,8 @@
 [i=1, b=T, s=leer]
 [i=2, b=T, s=leer]
 [i=3, b=F, s=leer]
 [i=4, b=F, s=leer]
 [i=5, b=F, s=leer]
 [i=6, b=F, s=leer]
 [i=7, b=T, s=leer]
 End-of-data
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-03-19-15-44-23
+#open	2016-06-15-20-29-41
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1363716396.798286	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	46	F	bro
 1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_reply	-	F	bro
-1363716396.798374	-	-	-	-	-	dns_unmatched_msg	-	F	bro
+1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_msg	-	F	bro
-#close	2015-03-19-15-44-23
+#close	2016-06-15-20-29-41
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2016-01-15-18-41-01
+#open	2016-06-16-20-25-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
 #types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
-1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	F	FVS9k93PUgScEUCOjd
+1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	nhfjenna_neumann@lycos.com	thenightwatch@t-online.de	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	F	FVS9k93PUgScEUCOjd
-#close	2016-01-15-18-41-01
+#close	2016-06-16-20-25-57
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_big/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_big/output
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_small/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.coil_parsing_small/output
@ -1,64 +1,64 @@
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], T
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], F
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], F
-1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], T
+1 modbus_message, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], T
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=1], 0, 3
+1 modbus_read_coils_request, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], 0, 3
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [F, F, F, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55481/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, F, F, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [F, F, T, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55483/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, F, T, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [F, T, F, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55485/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, T, F, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [F, T, T, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55487/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [F, T, T, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [T, F, F, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55489/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, F, F, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [T, F, T, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55491/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, F, T, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [T, T, F, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55494/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, T, F, F, F, F, F, F]
-1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=4, uid=1, function_code=1], [T, T, T, F, F, F, F, F]
+1 modbus_read_coils_response, [orig_h=118.189.96.132, orig_p=55496/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=1], [T, T, T, F, F, F, F, F]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [F, F, F]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, F, F]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [F, F, T]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, F, T]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [F, T, F]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, T, F]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [F, T, T]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [F, T, T]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [T, F, F]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, F, F]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [T, F, T]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, F, T]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [T, T, F]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, T, F]
-1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=8, uid=1, function_code=15], 0, [T, T, T]
+1 modbus_write_multiple_coils_request, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, [T, T, T]
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55480/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55482/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55484/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55486/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55488/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55490/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55493/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
-1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, len=6, uid=1, function_code=15], 0, 3
+1 modbus_write_multiple_coils_response, [orig_h=118.189.96.132, orig_p=55495/tcp, resp_h=118.189.96.132, resp_p=502/tcp], [tid=1, pid=0, uid=1, function_code=15], 0, 3
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/output
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
@ -1,4 +1,4 @@
-modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, len=6, uid=255, function_code=4], 900, 147
+modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, function_code=4], 900, 147
-modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, len=203, uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
+modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
-modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, len=6, uid=255, function_code=4], 400, 100
+modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, function_code=4], 400, 100
-modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, len=203, uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
+modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.attachment/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.attachment/smtp.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2015-07-26-19-20-59
+#open	2016-06-16-20-26-56
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
 #types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
-1254722768.219663	CXWv6p3arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	F	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
+1254722768.219663	CXWv6p3arKYeMETxOg	10.10.1.4	1470	74.53.140.153	25	1	GP	gurpartap@patriots.in	raj_deol2002in@yahoo.co.in	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	F	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
-1437831787.867142	CRJuHdVW0XPVINV8a	192.168.133.100	49648	192.168.133.102	25	1	[192.168.133.100]	<albert@example.com>	<felica4uu@hotmail.com>,<ericlim220@yahoo.com>,<davis_mark1@outlook.com>	Sat, 25 Jul 2015 16:43:07 +0300	Albert Zaharovits <albert@example.com>	ericlim220@yahoo.com	davis_mark1@outlook.com,felica4uu@hotmail.com	-	<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>	<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>	Re: Bro SMTP CC Header	-	-	-	250 Ok	192.168.133.102,192.168.133.100	Apple Mail (2.2102)	F	FKX8fw2lEHCTK8syM3
+1437831787.867142	CRJuHdVW0XPVINV8a	192.168.133.100	49648	192.168.133.102	25	1	[192.168.133.100]	albert@example.com	ericlim220@yahoo.com,davis_mark1@outlook.com,felica4uu@hotmail.com	Sat, 25 Jul 2015 16:43:07 +0300	Albert Zaharovits <albert@example.com>	ericlim220@yahoo.com	davis_mark1@outlook.com,felica4uu@hotmail.com	-	<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>	<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>	Re: Bro SMTP CC Header	-	-	-	250 Ok	192.168.133.102,192.168.133.100	Apple Mail (2.2102)	F	FKX8fw2lEHCTK8syM3
-#close	2015-07-26-19-20-59
+#close	2016-06-16-20-26-56
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2015-07-26-19-21-33
+#open	2016-06-16-20-28-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
 #types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
-1254722768.219663	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	F	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
+1254722768.219663	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	1	GP	gurpartap@patriots.in	raj_deol2002in@yahoo.co.in	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	F	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
-1437831787.867142	CPbrpk1qSsw6ESzHV4	192.168.133.100	49648	192.168.133.102	25	1	[192.168.133.100]	<albert@example.com>	<felica4uu@hotmail.com>,<ericlim220@yahoo.com>,<davis_mark1@outlook.com>	Sat, 25 Jul 2015 16:43:07 +0300	Albert Zaharovits <albert@example.com>	ericlim220@yahoo.com	davis_mark1@outlook.com,felica4uu@hotmail.com	-	<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>	<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>	Re: Bro SMTP CC Header	-	-	-	250 Ok	192.168.133.102,192.168.133.100	Apple Mail (2.2102)	F	FKX8fw2lEHCTK8syM3
+1437831787.867142	CPbrpk1qSsw6ESzHV4	192.168.133.100	49648	192.168.133.102	25	1	[192.168.133.100]	albert@example.com	ericlim220@yahoo.com,davis_mark1@outlook.com,felica4uu@hotmail.com	Sat, 25 Jul 2015 16:43:07 +0300	Albert Zaharovits <albert@example.com>	ericlim220@yahoo.com	davis_mark1@outlook.com,felica4uu@hotmail.com	-	<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>	<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>	Re: Bro SMTP CC Header	-	-	-	250 Ok	192.168.133.102,192.168.133.100	Apple Mail (2.2102)	F	FKX8fw2lEHCTK8syM3
-#close	2015-07-26-19-21-33
+#close	2016-06-16-20-28-28
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.one-side/smtp.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2015-07-26-18-36-11
+#open	2016-06-16-20-28-13
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	cc	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	tls	fuids
 #types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	bool	vector[string]
-1402446189.935267	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	<robin@icir.org>	<robin@icir.org>	-	robin@icir.org	robin@icir.org	-	-	-	-	Hello1!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
+1402446189.935267	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	robin@icir.org	robin@icir.org	-	robin@icir.org	robin@icir.org	-	-	-	-	Hello1!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
-1402446189.993233	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	<robin@icir.org>	<rsommer@lbl.gov>	-	robin@icir.org	rsommer@lbl.gov	-	-	-	-	Hello2!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
+1402446189.993233	CXWv6p3arKYeMETxOg	192.150.187.22	57722	192.150.186.11	25	1	enzo.icir.org	robin@icir.org	rsommer@lbl.gov	-	robin@icir.org	rsommer@lbl.gov	-	-	-	-	Hello2!	-	-	-	-	192.150.186.11,192.150.187.22	-	F	(empty)
-#close	2015-07-26-18-36-11
+#close	2016-06-16-20-28-13
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.smtp/intel.log
@ -0,0 +1,16 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
 #open	2016-01-18-22-48-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_RCPT_TO	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	jan.grashoefer@cern.ch	Intel::EMAIL	SMTP::IN_FROM	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	angle-addr@example.com	Intel::EMAIL	SMTP::IN_TO	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	addr-spec@example.com	Intel::EMAIL	SMTP::IN_TO	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	name-addr@example.com	Intel::EMAIL	SMTP::IN_TO	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	jan.grashofer@cern.ch	Intel::EMAIL	SMTP::IN_TO	bro	source1
 1449610263.071201	CXWv6p3arKYeMETxOg	188.184.129.157	35119	188.184.36.24	25	-	-	-	jan.grashoefer@gmail.com	Intel::EMAIL	SMTP::IN_TO	bro	source1
 #close	2016-01-18-22-48-42
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@ -125,7 +125,7 @@
                  [3] arg: string        = FROM: <gurpartap@patriots.in>
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = MAIL
@ -133,13 +133,13 @@
                  [5] cont_resp: bool    = F
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
@ -147,13 +147,13 @@
                  [5] cont_resp: bool    = F
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = DATA
                  [3] arg: string        = 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 354
                  [3] cmd: string        = DATA
@ -161,13 +161,13 @@
                  [5] cont_resp: bool    = F
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = .
                  [3] arg: string        = .
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = .
@ -241,7 +241,7 @@
                  [3] arg: string        = FROM:<albert@example.com>
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = MAIL
@ -249,13 +249,13 @@
                  [5] cont_resp: bool    = F
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<ericlim220@yahoo.com>
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
@ -263,13 +263,13 @@
                  [5] cont_resp: bool    = F
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<felica4uu@hotmail.com>
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0afelica4uu@hotmail.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
@ -277,13 +277,13 @@
                  [5] cont_resp: bool    = F
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0afelica4uu@hotmail.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = RCPT
                  [3] arg: string        = TO:<davis_mark1@outlook.com>
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = RCPT
@ -291,13 +291,13 @@
                  [5] cont_resp: bool    = F
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = DATA
                  [3] arg: string        = 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 354
                  [3] cmd: string        = DATA
@ -305,13 +305,13 @@
                  [5] cont_resp: bool    = F
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = T
                  [2] command: string    = .
                  [3] arg: string        = .
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<albert@example.com>, rcptto={\x0a<felica4uu@hotmail.com>,\x0a<ericlim220@yahoo.com>,\x0a<davis_mark1@outlook.com>\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CPbrpk1qSsw6ESzHV4, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CPbrpk1qSsw6ESzHV4, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com,\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                  [1] is_orig: bool      = F
                  [2] code: count        = 250
                  [3] cmd: string        = .
--- a/testing/btest/Traces/smtp-multi-addr.pcap
+++ b/testing/btest/Traces/smtp-multi-addr.pcap
--- a/testing/btest/core/recursive-event.bro
+++ b/testing/btest/core/recursive-event.bro
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT 2>&1 | grep -v termination | sort | uniq | wc -l >output
+# @TEST-EXEC: bro %INPUT 2>&1 | grep -v termination | sort | uniq | wc -l | awk '{print $1}' >output
 # @TEST-EXEC: btest-diff output
 # In old version, the event would keep triggering endlessely, with the network
--- a/testing/btest/scripts/base/frameworks/input/default.bro
+++ b/testing/btest/scripts/base/frameworks/input/default.bro
@ -0,0 +1,48 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@TEST-START-FILE input.log
 #separator \x09
 #path	ssh
 #fields	i	b
 #types	int	bool
 1	T
 2	T
 3	F
 4	F
 5	F
 6	F
 7	T
@TEST-END-FILE
 redef exit_only_after_terminate = T;
 global outfile: file;
 module A;
 type Val: record {
 	i: int;
 	b: bool;
 	s: string &default="leer";
 };
 event line(description: Input::EventDescription, tpe: Input::Event, val: Val)
 	{
 	print outfile, val;
 	}
 event bro_init()
 	{
 	outfile = open("../out");
 	Input::add_event([$source="../input.log", $name="input", $fields=Val, $ev=line, $want_record=T]);
 	}
 event Input::end_of_data(name: string, source:string)
 	{
 	print outfile, "End-of-data";
 	Input::remove("input");
 	close(outfile);
 	terminate();
 	}
--- a/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro
+++ b/testing/btest/scripts/policy/frameworks/intel/seen/smtp.bro
@ -0,0 +1,35 @@
 # @TEST-EXEC: bro -r $TRACES/smtp-multi-addr.pcap %INPUT
 # @TEST-EXEC: btest-diff intel.log
@TEST-START-FILE intel.dat
 #fields	indicator	indicator_type	meta.source	meta.desc	meta.url
 jan.grashoefer@gmail.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
 jan.grashoefer@cern.ch	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
 jan.grashofer@cern.ch	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
 addr-spec@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
 angle-addr@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
 name-addr@example.com	Intel::EMAIL	source1	test entry	http://some-data-distributor.com/100000
@TEST-END-FILE
@load base/frameworks/intel
@load frameworks/intel/seen
 redef Intel::read_files += { "intel.dat" };
 event bro_init()
 	{
 	suspend_processing();
 	}
 event Input::end_of_data(name: string, source: string)
 	{
 	continue_processing();
 	}
 event SMTP::log_smtp(rec: SMTP::Info)
 	{
 	for ( adr in rec$to )
 		{
 		print fmt("Addr: '%s'", adr);
 		}
 	}
--- a/testing/btest/scripts/site/local-compat.test
+++ b/testing/btest/scripts/site/local-compat.test
@ -24,10 +24,6 @@
 # Load the scan detection script.
@load misc/scan
 # Log some information about web applications being used by users 
 # on your network.
@load misc/app-stats
 # Detect traceroute being run on the network.  
@load misc/detect-traceroute
		`@ -1 +0,0 @@`
			`AppStats collects information about web applications in use on the network.`